Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Drawing&spec.scr.exe

Overview

General Information

Sample name:Drawing&spec.scr.exe
Analysis ID:1569120
MD5:3a43f4d6c1ce25bc8efe548fa2b16bc7
SHA1:e0b8080d2c241ee9c8d7d31adb6ecc0fc43d0a0e
SHA256:4b5cc1e99d28651fbb693422c5d392c5d47dfa61c8ec4995197706de5cb3442a
Tags:exeuser-TeamDreier
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AntiVM3
Yara detected AsyncRAT
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Drawing&spec.scr.exe (PID: 4296 cmdline: "C:\Users\user\Desktop\Drawing&spec.scr.exe" MD5: 3A43F4D6C1CE25BC8EFE548FA2B16BC7)
    • unfatigued.exe (PID: 3680 cmdline: "C:\Users\user\Desktop\Drawing&spec.scr.exe" MD5: 3A43F4D6C1CE25BC8EFE548FA2B16BC7)
      • RegSvcs.exe (PID: 2876 cmdline: "C:\Users\user\Desktop\Drawing&spec.scr.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 6252 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • unfatigued.exe (PID: 1564 cmdline: "C:\Users\user\AppData\Local\iodite\unfatigued.exe" MD5: 3A43F4D6C1CE25BC8EFE548FA2B16BC7)
      • RegSvcs.exe (PID: 1272 cmdline: "C:\Users\user\AppData\Local\iodite\unfatigued.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "69.174.100.131", "Port": "6606", "Version": "0.5.8", "MutexName": "abkZfsCYRZhk", "Autorun": "false", "Group": "null"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0xac38:$a2: Stub.exe
      • 0xacc8:$a2: Stub.exe
      • 0x6711:$a3: get_ActivatePong
      • 0x9b31:$a4: vmware
      • 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x7460:$a6: get_SslClient
      00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.unfatigued.exe.1ea0000.1.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          2.2.unfatigued.exe.1ea0000.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            2.2.unfatigued.exe.1ea0000.1.raw.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
            • 0x9919:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
            • 0xac38:$a2: Stub.exe
            • 0xacc8:$a2: Stub.exe
            • 0x6711:$a3: get_ActivatePong
            • 0x9b31:$a4: vmware
            • 0x99a9:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            • 0x7460:$a6: get_SslClient
            2.2.unfatigued.exe.1ea0000.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
            • 0x99ab:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
            5.2.unfatigued.exe.790000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              Click to see the 13 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs" , ProcessId: 6252, ProcessName: wscript.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs" , ProcessId: 6252, ProcessName: wscript.exe

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\iodite\unfatigued.exe, ProcessId: 3680, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000006.00000002.2361663433.0000000002471000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "69.174.100.131", "Port": "6606", "Version": "0.5.8", "MutexName": "abkZfsCYRZhk", "Autorun": "false", "Group": "null"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeReversingLabs: Detection: 52%
              Multi AV Scanner detection for submitted file
              Source: Drawing&spec.scr.exeReversingLabs: Detection: 52%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: Drawing&spec.scr.exeJoe Sandbox ML: detected
              Source: Drawing&spec.scr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: Binary string: wntdll.pdbUGP source: unfatigued.exe, 00000002.00000003.2112952246.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000002.00000003.2107648573.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000003.2241369844.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000003.2245065061.00000000038B0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: unfatigued.exe, 00000002.00000003.2112952246.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000002.00000003.2107648573.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000003.2241369844.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000003.2245065061.00000000038B0000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0091445A
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091C6D1 FindFirstFileW,FindClose,0_2_0091C6D1
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0091C75C
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0091EF95
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0091F0F2
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0091F3F3
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009137EF
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00913B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00913B12
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0091BCBC
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0080445A
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080C6D1 FindFirstFileW,FindClose,2_2_0080C6D1
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0080C75C
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0080EF95
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0080F0F2
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0080F3F3
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_008037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_008037EF
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_00803B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00803B12
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0080BCBC

              Networking

              barindex
              Yara detected Generic Downloader
              Source: Yara matchFile source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.unfatigued.exe.790000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: global trafficTCP traffic: 192.168.2.5:49704 -> 69.174.100.131:6606
              Source: Joe Sandbox ViewASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: unknownTCP traffic detected without corresponding DNS query: 69.174.100.131
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009222EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_009222EE

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.unfatigued.exe.790000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.unfatigued.exe.1ea0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.unfatigued.exe.790000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: unfatigued.exe PID: 3680, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: unfatigued.exe PID: 1564, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1272, type: MEMORYSTR
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00924164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00924164
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00924164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00924164
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_00814164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00814164
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00923F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00923F66
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0091001C
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0093CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0093CABC
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0082CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0082CABC

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 5.2.unfatigued.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 5.2.unfatigued.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 2.2.unfatigued.exe.1ea0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 2.2.unfatigued.exe.1ea0000.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 5.2.unfatigued.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 5.2.unfatigued.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: Process Memory Space: RegSvcs.exe PID: 1272, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: This is a third-party compiled AutoIt script.0_2_008B3B3A
              Source: Drawing&spec.scr.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: Drawing&spec.scr.exe, 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2e4c8a0a-7
              Source: Drawing&spec.scr.exe, 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7b5523b2-9
              Source: Drawing&spec.scr.exe, 00000000.00000003.2098734365.0000000002173000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_58f53185-c
              Source: Drawing&spec.scr.exe, 00000000.00000003.2098734365.0000000002173000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d481bf07-8
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: This is a third-party compiled AutoIt script.2_2_007A3B3A
              Source: unfatigued.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: unfatigued.exe, 00000002.00000000.2098985837.0000000000854000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c59d3811-3
              Source: unfatigued.exe, 00000002.00000000.2098985837.0000000000854000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_0d93cf7d-0
              Source: unfatigued.exe, 00000005.00000002.2250930576.0000000000854000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3fabcb21-a
              Source: unfatigued.exe, 00000005.00000002.2250930576.0000000000854000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_1d9af30a-f
              Source: Drawing&spec.scr.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0921d358-8
              Source: Drawing&spec.scr.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7c5f55cd-4
              Source: unfatigued.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_063455dc-2
              Source: unfatigued.exe.0.drString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_a938608e-1
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0091A1EF
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00908310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00908310
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009151BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009151BD
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_008051BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_008051BD
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008BE6A00_2_008BE6A0
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008DD9750_2_008DD975
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008D21C50_2_008D21C5
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008E62D20_2_008E62D2
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009303DA0_2_009303DA
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008E242E0_2_008E242E
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008D25FA0_2_008D25FA
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008C66E10_2_008C66E1
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0090E6160_2_0090E616
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008E878F0_2_008E878F
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009188890_2_00918889
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008C88080_2_008C8808
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009308570_2_00930857
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008E68440_2_008E6844
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008DCB210_2_008DCB21
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008E6DB60_2_008E6DB6
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008C6F9E0_2_008C6F9E
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008C30300_2_008C3030
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008D31870_2_008D3187
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008DF1D90_2_008DF1D9
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008B12870_2_008B1287
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008D14840_2_008D1484
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008C55200_2_008C5520
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008D76960_2_008D7696
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008C57600_2_008C5760
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008D19780_2_008D1978
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008E9AB50_2_008E9AB5
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008BFCE00_2_008BFCE0
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008D1D900_2_008D1D90
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008DBDA60_2_008DBDA6
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00937DDB0_2_00937DDB
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008C3FE00_2_008C3FE0
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008BDF000_2_008BDF00
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_015555C80_2_015555C8
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007CD9752_2_007CD975
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007C21C52_2_007C21C5
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007D62D22_2_007D62D2
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_008203DA2_2_008203DA
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007D242E2_2_007D242E
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007C25FA2_2_007C25FA
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007FE6162_2_007FE616
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007B66E12_2_007B66E1
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007AE6A02_2_007AE6A0
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007D878F2_2_007D878F
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_008088892_2_00808889
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007D68442_2_007D6844
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007B88082_2_007B8808
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_008208572_2_00820857
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007CCB212_2_007CCB21
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007D6DB62_2_007D6DB6
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007B6F9E2_2_007B6F9E
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007B30302_2_007B3030
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007CF1D92_2_007CF1D9
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007C31872_2_007C3187
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007A12872_2_007A1287
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007C14842_2_007C1484
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007B55202_2_007B5520
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007C76962_2_007C7696
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007B57602_2_007B5760
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007C19782_2_007C1978
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007D9AB52_2_007D9AB5
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007AFCE02_2_007AFCE0
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_00827DDB2_2_00827DDB
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007CBDA62_2_007CBDA6
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007C1D902_2_007C1D90
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007ADF002_2_007ADF00
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007B3FE02_2_007B3FE0
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_01353F382_2_01353F38
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 5_2_011245305_2_01124530
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: String function: 008D8900 appears 42 times
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: String function: 008D0AE3 appears 70 times
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: String function: 008B7DE1 appears 35 times
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: String function: 007C0AE3 appears 70 times
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: String function: 007C8900 appears 42 times
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: String function: 007A7DE1 appears 36 times
              Source: Drawing&spec.scr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 5.2.unfatigued.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 5.2.unfatigued.exe.790000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 2.2.unfatigued.exe.1ea0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 2.2.unfatigued.exe.1ea0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 5.2.unfatigued.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 5.2.unfatigued.exe.790000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: Process Memory Space: RegSvcs.exe PID: 1272, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, Settings.csBase64 encoded string: 'WNkhGMjQebraVKNP8JFd/jNpfhjf7hdwltwh0LWvVoYCxQpHu6yJfwfwIOMC74WVcZH7+WHsrPSjMsvy7epmeg==', 'l9vDqe8osDYeqDjReN8bepnhFzK0kjLr960y5qQiDWW09d9pn0afU+PP5SNJ5nkIDorNaASKWLbbSNDHIK7ohw==', 'kCHyBES7xMp0gDfYa1fttkuy2T5Ojdnm5AZlrUEPxE81oz2R1YvVX72Lcab30+lSKpURz4FNIs8pVycEn1xb7Q==', 'iKik4JeJK95LlxMDvYBCGsoyrm75GwbWYZeSTIfull44GdBkkt/IvOwicoa4FjNoO3mD8IJSbk9u2/5QOIVePg==', 'wqzth82CYwGa74e2nPeThEgJQa/ElAolMG5pBDIJzB/LyGYHcRi4/RDNqWFi1x4qTrKz/VwUO3Ez6dtN2ihblsd8/U2Mw40EKQQuKoqoJC5vClviSZovc4xlNKck5FqowEhJ718HXDKi6DbJ0dxn8F3yTPZAc+/NMowo840gNrNVx+/ULLjAZ4s+RvajYQa+yti9IWA9pfdAgBTRpaoxWdLO/E04b8oJ5i0IhmqAZxOlRLMsr3McCMbHH6gnUQAxk7SMkc4YToe2fZfswYkrfhHr6n1IFTDLwxQo48aDXeZCLrBDUt0Hwzm5HidrCG3F+ybx2rhzqxaTwORkNZYT6qokUpIx6GEkfn2OKPgV7tJ+Z9z2to1xmIoJ4RROGKPMxfct3EPbVnVWipOEzM1y6BEbnXlBmXe5BPV+yeqJTVWy8RnzsNJTqUhVKSdKD15KaLfv4reGUwDOZVdbjimZjMXhnuOHXZ/YbZ1NiKzpNR3VBWXBPsXj0cDMhhkM7kF2ZLn90uC6pyjJPGujs+Ub26vZOZ79cpxhaqkkl5anPXo/a9bWd69gAO5IJ7zrGGWubaGMaI+40JOG5559Q0nX9LfTDyaSaTSKkxEH+CRDcyQSnxQZBHRhT15O6CfAViKFYqUhMI6C8JDYtfo2mX2yeLPeHkHdmlaYUNADyTwGQCc2Wjx2BYnCZ5pYRbLHXmitgEOt2iyHtg5mUSOZ6b5SS0UOqMNEEbBqbtKucPu7s8GeRAc50ibgJ1KM1OQ5As5LsZfo7s2N7SHsyaTS+t+xhLJ7vcoCQu5q/439VOba2WFDWK6GpeuwHjKX9Byd/O4MkHc6KilgfFIUIn4a3aMju+8vJubLWneB+tf8m/I5fFQ+BePabuTIZKxBcBYmbrR+uGy0A9xlbgo81TELAsMp+W/sasbrRupfVYmXOc2TXbWT5Xyy1mgDahk1gvHkK+yYDYATHTtAKLJ4ab7dNz+4/iVzwHiet45ADYAKim3J/otCT2OZ/YY6ml0TXWjqz5pb9kP0tQw5MfXtz3288WiBEoCL3pURv7c2susE1fI7vcEMpxgKzL/Ckhx0PT9vs6P/IOzrp0KjSB2caAa7erIB6AnAav0i7sbIFMpIZ8INn4q7hE45/draRRwjrwRscQQ6qxXk5w1mWFE+mF5kb6jCD6CVi5wmfqdX9fj6Fg9Uk8fGcJqvAmeUmlGvUUDYg1xzx/J/j8Wu9n4pordKrSyOKgiTZO45PhznLH1M6BEmYGJPH/NuT7wbU+esT4QH5IhnKRDbHZ0oNN1jkSuzqqx9Ekm4hcZXo9puwUvkEUQXpjpDs/JGnR854nT0tAPk6eKkqngqZBqQXErPwTfzPgjT08cronrZWPxutyQzSe7v/CqbYI0RCtYGHZAwNg/hugOF4tGs/uYa21x9eL7gz4buPUE7hPS88PFpQevBsUosaNU/4uapnc048D+vAveFmQcAEnKkY/XfkWvz1b+rL7NflsTBuhD4W31hsaopVUfVfZC88Z/IBRj/ncNwy04m5JS0KJZ1Qakt4FoQbvwWZnjZVg5shVYceIMWmJg1tbtJgrb0MJE3PpojZzcnUQfmRsxGuYqZSU6syjSEDC2hpoEkKHMS9WD6RenHjd1jhvBGjGKwXBdFFBSz/GLwHPXj3imwD1W6M6ZGe9alWk5IBFiFLncodbrnq5eYFC+xLCJ8puzcoqICfh3+TzhYG0Da2BrmOAnCOgnekXgIlFi+t27VorE5pkyz7sqt/ZAUBEfLFCvpSnwvTI5KmBlFpBkIWfRoQYUQ7I2lygr4L9XKc3qtGAv+3AweVhlyAxHjWXjmr/YM6ui8hqT/qN4LOe8/B+N5zJ8PM8KGecncaK21kge2ewE4s2T9CKFrBYdxrIJ5kHIwfes+PT9YbYnqNRvf/ArDONst0or3+IBo6iRqCQTFnhoEKoO7SoC/McHXcLnL5cdxmfNz/lvqyzgpcu1XGggXI+RLK4NcQf9GlC2DIPleJskQziu36Q5OtqnlnOqMB/oyLlnmsFl7G8JrmMQxwV5YMdManKl8V8rC6gEEi0OtAnezMOg7vQNFclXtDB9pxto9uHDYBzuivKv4ss+qbSPBwnAb5S7PkjLAZxRXgnlyAIsR9Ut+T6T6yP+WJwMd9DnHjXVPPcWi6Lt1g17tfBAzAkaRzJGCO+qbPemd20HlB/3v+V8OltvCO7iA7hQvrk+w0fa1L5wo5IGWAwIbfU6vlLGQtj8wvi37ClyimrazYmN9BJjHkbJSBOGVQxdyBZVfpghplZhLE+6SDKY/bP91xgP5dKB9lf04tLlgXhpUO7TJqKOwvyIGDjPNzhHIdsQ=', 'sgvFcm3Q40Evg9+J186vdf7f4+k0GL/713AdMxKTUDu8vK4h3WXM1sWIEc/KQffpGkY0DfW07sXOo4NP9Ei6XQ==', 'NL9vuydxFmwT2ed8GZE71V7r/WSjHtYFSGx11meYI4Y1/rEnKSQxxIAbZjXt2Jm0eEnGqIGc+jmtefkmNr7yAg=='
              Source: 5.2.unfatigued.exe.790000.0.raw.unpack, Settings.csBase64 encoded string: 'WNkhGMjQebraVKNP8JFd/jNpfhjf7hdwltwh0LWvVoYCxQpHu6yJfwfwIOMC74WVcZH7+WHsrPSjMsvy7epmeg==', 'l9vDqe8osDYeqDjReN8bepnhFzK0kjLr960y5qQiDWW09d9pn0afU+PP5SNJ5nkIDorNaASKWLbbSNDHIK7ohw==', 'kCHyBES7xMp0gDfYa1fttkuy2T5Ojdnm5AZlrUEPxE81oz2R1YvVX72Lcab30+lSKpURz4FNIs8pVycEn1xb7Q==', 'iKik4JeJK95LlxMDvYBCGsoyrm75GwbWYZeSTIfull44GdBkkt/IvOwicoa4FjNoO3mD8IJSbk9u2/5QOIVePg==', 'wqzth82CYwGa74e2nPeThEgJQa/ElAolMG5pBDIJzB/LyGYHcRi4/RDNqWFi1x4qTrKz/VwUO3Ez6dtN2ihblsd8/U2Mw40EKQQuKoqoJC5vClviSZovc4xlNKck5FqowEhJ718HXDKi6DbJ0dxn8F3yTPZAc+/NMowo840gNrNVx+/ULLjAZ4s+RvajYQa+yti9IWA9pfdAgBTRpaoxWdLO/E04b8oJ5i0IhmqAZxOlRLMsr3McCMbHH6gnUQAxk7SMkc4YToe2fZfswYkrfhHr6n1IFTDLwxQo48aDXeZCLrBDUt0Hwzm5HidrCG3F+ybx2rhzqxaTwORkNZYT6qokUpIx6GEkfn2OKPgV7tJ+Z9z2to1xmIoJ4RROGKPMxfct3EPbVnVWipOEzM1y6BEbnXlBmXe5BPV+yeqJTVWy8RnzsNJTqUhVKSdKD15KaLfv4reGUwDOZVdbjimZjMXhnuOHXZ/YbZ1NiKzpNR3VBWXBPsXj0cDMhhkM7kF2ZLn90uC6pyjJPGujs+Ub26vZOZ79cpxhaqkkl5anPXo/a9bWd69gAO5IJ7zrGGWubaGMaI+40JOG5559Q0nX9LfTDyaSaTSKkxEH+CRDcyQSnxQZBHRhT15O6CfAViKFYqUhMI6C8JDYtfo2mX2yeLPeHkHdmlaYUNADyTwGQCc2Wjx2BYnCZ5pYRbLHXmitgEOt2iyHtg5mUSOZ6b5SS0UOqMNEEbBqbtKucPu7s8GeRAc50ibgJ1KM1OQ5As5LsZfo7s2N7SHsyaTS+t+xhLJ7vcoCQu5q/439VOba2WFDWK6GpeuwHjKX9Byd/O4MkHc6KilgfFIUIn4a3aMju+8vJubLWneB+tf8m/I5fFQ+BePabuTIZKxBcBYmbrR+uGy0A9xlbgo81TELAsMp+W/sasbrRupfVYmXOc2TXbWT5Xyy1mgDahk1gvHkK+yYDYATHTtAKLJ4ab7dNz+4/iVzwHiet45ADYAKim3J/otCT2OZ/YY6ml0TXWjqz5pb9kP0tQw5MfXtz3288WiBEoCL3pURv7c2susE1fI7vcEMpxgKzL/Ckhx0PT9vs6P/IOzrp0KjSB2caAa7erIB6AnAav0i7sbIFMpIZ8INn4q7hE45/draRRwjrwRscQQ6qxXk5w1mWFE+mF5kb6jCD6CVi5wmfqdX9fj6Fg9Uk8fGcJqvAmeUmlGvUUDYg1xzx/J/j8Wu9n4pordKrSyOKgiTZO45PhznLH1M6BEmYGJPH/NuT7wbU+esT4QH5IhnKRDbHZ0oNN1jkSuzqqx9Ekm4hcZXo9puwUvkEUQXpjpDs/JGnR854nT0tAPk6eKkqngqZBqQXErPwTfzPgjT08cronrZWPxutyQzSe7v/CqbYI0RCtYGHZAwNg/hugOF4tGs/uYa21x9eL7gz4buPUE7hPS88PFpQevBsUosaNU/4uapnc048D+vAveFmQcAEnKkY/XfkWvz1b+rL7NflsTBuhD4W31hsaopVUfVfZC88Z/IBRj/ncNwy04m5JS0KJZ1Qakt4FoQbvwWZnjZVg5shVYceIMWmJg1tbtJgrb0MJE3PpojZzcnUQfmRsxGuYqZSU6syjSEDC2hpoEkKHMS9WD6RenHjd1jhvBGjGKwXBdFFBSz/GLwHPXj3imwD1W6M6ZGe9alWk5IBFiFLncodbrnq5eYFC+xLCJ8puzcoqICfh3+TzhYG0Da2BrmOAnCOgnekXgIlFi+t27VorE5pkyz7sqt/ZAUBEfLFCvpSnwvTI5KmBlFpBkIWfRoQYUQ7I2lygr4L9XKc3qtGAv+3AweVhlyAxHjWXjmr/YM6ui8hqT/qN4LOe8/B+N5zJ8PM8KGecncaK21kge2ewE4s2T9CKFrBYdxrIJ5kHIwfes+PT9YbYnqNRvf/ArDONst0or3+IBo6iRqCQTFnhoEKoO7SoC/McHXcLnL5cdxmfNz/lvqyzgpcu1XGggXI+RLK4NcQf9GlC2DIPleJskQziu36Q5OtqnlnOqMB/oyLlnmsFl7G8JrmMQxwV5YMdManKl8V8rC6gEEi0OtAnezMOg7vQNFclXtDB9pxto9uHDYBzuivKv4ss+qbSPBwnAb5S7PkjLAZxRXgnlyAIsR9Ut+T6T6yP+WJwMd9DnHjXVPPcWi6Lt1g17tfBAzAkaRzJGCO+qbPemd20HlB/3v+V8OltvCO7iA7hQvrk+w0fa1L5wo5IGWAwIbfU6vlLGQtj8wvi37ClyimrazYmN9BJjHkbJSBOGVQxdyBZVfpghplZhLE+6SDKY/bP91xgP5dKB9lf04tLlgXhpUO7TJqKOwvyIGDjPNzhHIdsQ=', 'sgvFcm3Q40Evg9+J186vdf7f4+k0GL/713AdMxKTUDu8vK4h3WXM1sWIEc/KQffpGkY0DfW07sXOo4NP9Ei6XQ==', 'NL9vuydxFmwT2ed8GZE71V7r/WSjHtYFSGx11meYI4Y1/rEnKSQxxIAbZjXt2Jm0eEnGqIGc+jmtefkmNr7yAg=='
              Source: 5.2.unfatigued.exe.790000.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 5.2.unfatigued.exe.790000.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@10/7@0/1
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091A06A GetLastError,FormatMessageW,0_2_0091A06A
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009081CB AdjustTokenPrivileges,CloseHandle,0_2_009081CB
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009087E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009087E1
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007F81CB AdjustTokenPrivileges,CloseHandle,2_2_007F81CB
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007F87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_007F87E1
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0091B3FB
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0092EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0092EE0D
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0091C397
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008B4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_008B4E89
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeFile created: C:\Users\user\AppData\Local\ioditeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: \Sessions\1\BaseNamedObjects\abkZfsCYRZhk
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeFile created: C:\Users\user\AppData\Local\Temp\aut9151.tmpJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs"
              Source: Drawing&spec.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Drawing&spec.scr.exeReversingLabs: Detection: 52%
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeFile read: C:\Users\user\Desktop\Drawing&spec.scr.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Drawing&spec.scr.exe "C:\Users\user\Desktop\Drawing&spec.scr.exe"
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeProcess created: C:\Users\user\AppData\Local\iodite\unfatigued.exe "C:\Users\user\Desktop\Drawing&spec.scr.exe"
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Drawing&spec.scr.exe"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\iodite\unfatigued.exe "C:\Users\user\AppData\Local\iodite\unfatigued.exe"
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\iodite\unfatigued.exe"
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeProcess created: C:\Users\user\AppData\Local\iodite\unfatigued.exe "C:\Users\user\Desktop\Drawing&spec.scr.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Drawing&spec.scr.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\iodite\unfatigued.exe "C:\Users\user\AppData\Local\iodite\unfatigued.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\iodite\unfatigued.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
              Source: Drawing&spec.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: Drawing&spec.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: Drawing&spec.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: Drawing&spec.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Drawing&spec.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: Drawing&spec.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: Drawing&spec.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: wntdll.pdbUGP source: unfatigued.exe, 00000002.00000003.2112952246.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000002.00000003.2107648573.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000003.2241369844.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000003.2245065061.00000000038B0000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: unfatigued.exe, 00000002.00000003.2112952246.0000000003AF0000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000002.00000003.2107648573.0000000003C90000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000003.2241369844.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000003.2245065061.00000000038B0000.00000004.00001000.00020000.00000000.sdmp
              Source: Drawing&spec.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: Drawing&spec.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: Drawing&spec.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: Drawing&spec.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: Drawing&spec.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008B4B37 LoadLibraryA,GetProcAddress,0_2_008B4B37
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008D8945 push ecx; ret 0_2_008D8958
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007AC4C7 push A3007ABAh; retn 007Ah2_2_007AC50D
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007C8945 push ecx; ret 2_2_007C8958
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeFile created: C:\Users\user\AppData\Local\iodite\unfatigued.exeJump to dropped file

              Boot Survival

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.unfatigued.exe.790000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.unfatigued.exe.1ea0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.unfatigued.exe.790000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: unfatigued.exe PID: 3680, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: unfatigued.exe PID: 1564, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1272, type: MEMORYSTR
              Drops VBS files to the startup folder
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbsJump to dropped file
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbsJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbsJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008B48D7
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00935376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00935376
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007A48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_007A48D7
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_00825376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00825376
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008D3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008D3187
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: unfatigued.exe PID: 3680, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: unfatigued.exe PID: 1564, type: MEMORYSTR
              Yara detected AsyncRAT
              Source: Yara matchFile source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.unfatigued.exe.790000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.unfatigued.exe.1ea0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.unfatigued.exe.790000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: unfatigued.exe PID: 3680, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: unfatigued.exe PID: 1564, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1272, type: MEMORYSTR
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeAPI/Special instruction interceptor: Address: 1353B5C
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeAPI/Special instruction interceptor: Address: 1124154
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: unfatigued.exe, 00000005.00000003.2234349468.0000000001113000.00000004.00000020.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000002.2251315062.000000000119C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
              Source: unfatigued.exe, 00000002.00000002.2115612124.00000000011FD000.00000004.00000020.00020000.00000000.sdmp, unfatigued.exe, 00000002.00000003.2099697270.000000000118E000.00000004.00000020.00020000.00000000.sdmp, unfatigued.exe, 00000002.00000003.2100019037.00000000011FD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEA
              Source: unfatigued.exe, 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: Drawing&spec.scr.exe, 00000000.00000003.2092123209.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Drawing&spec.scr.exe, 00000000.00000002.2100060512.000000000156C000.00000004.00000020.00020000.00000000.sdmp, Drawing&spec.scr.exe, 00000000.00000003.2092040900.00000000014FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXES
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-106129
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeAPI coverage: 4.4 %
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeAPI coverage: 4.6 %
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0091445A
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091C6D1 FindFirstFileW,FindClose,0_2_0091C6D1
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0091C75C
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0091EF95
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0091F0F2
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0091F3F3
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009137EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_009137EF
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00913B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00913B12
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0091BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0091BCBC
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0080445A
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080C6D1 FindFirstFileW,FindClose,2_2_0080C6D1
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0080C75C
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0080EF95
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0080F0F2
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0080F3F3
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_008037EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_008037EF
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_00803B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00803B12
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_0080BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0080BCBC
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008B49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008B49A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: RegSvcs.exe, 00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: vmware
              Source: RegSvcs.exe, 00000003.00000002.3333421687.00000000010A6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeAPI call chain: ExitProcess graph end nodegraph_0-104420
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00923F09 BlockInput,0_2_00923F09
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008B3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008B3B3A
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008E5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_008E5A7C
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008B4B37 LoadLibraryA,GetProcAddress,0_2_008B4B37
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_01555458 mov eax, dword ptr fs:[00000030h]0_2_01555458
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_015554B8 mov eax, dword ptr fs:[00000030h]0_2_015554B8
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_01553DC8 mov eax, dword ptr fs:[00000030h]0_2_01553DC8
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_01352738 mov eax, dword ptr fs:[00000030h]2_2_01352738
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_01353DC8 mov eax, dword ptr fs:[00000030h]2_2_01353DC8
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_01353E28 mov eax, dword ptr fs:[00000030h]2_2_01353E28
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 5_2_01122D30 mov eax, dword ptr fs:[00000030h]5_2_01122D30
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 5_2_01124420 mov eax, dword ptr fs:[00000030h]5_2_01124420
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 5_2_011243C0 mov eax, dword ptr fs:[00000030h]5_2_011243C0
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009080A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_009080A9
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008DA124 SetUnhandledExceptionFilter,0_2_008DA124
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008DA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008DA155
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007CA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_007CA155
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_007CA124 SetUnhandledExceptionFilter,2_2_007CA124
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D8E008Jump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 314008Jump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_009087B1 LogonUserW,0_2_009087B1
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008B3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_008B3B3A
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008B48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_008B48D7
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00914C27 mouse_event,0_2_00914C27
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\Drawing&spec.scr.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\iodite\unfatigued.exe "C:\Users\user\AppData\Local\iodite\unfatigued.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\iodite\unfatigued.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00907CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00907CAF
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_0090874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0090874B
              Source: Drawing&spec.scr.exe, unfatigued.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: Drawing&spec.scr.exe, unfatigued.exeBinary or memory string: Shell_TrayWnd
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008D862B cpuid 0_2_008D862B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008E4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_008E4E87
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008F1E06 GetUserNameW,0_2_008F1E06
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008E3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_008E3F3A
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_008B49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_008B49A0
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 2.2.unfatigued.exe.1ea0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.unfatigued.exe.790000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.unfatigued.exe.1ea0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.unfatigued.exe.790000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.RegSvcs.exe.530000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: unfatigued.exe PID: 3680, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: unfatigued.exe PID: 1564, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1272, type: MEMORYSTR
              Source: unfatigued.exe, 00000005.00000003.2234349468.0000000001113000.00000004.00000020.00020000.00000000.sdmp, unfatigued.exe, 00000005.00000002.2251315062.000000000119C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe
              Source: unfatigued.exeBinary or memory string: WIN_81
              Source: unfatigued.exeBinary or memory string: WIN_XP
              Source: unfatigued.exeBinary or memory string: WIN_XPe
              Source: unfatigued.exeBinary or memory string: WIN_VISTA
              Source: unfatigued.exeBinary or memory string: WIN_7
              Source: unfatigued.exeBinary or memory string: WIN_8
              Source: unfatigued.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00926283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00926283
              Source: C:\Users\user\Desktop\Drawing&spec.scr.exeCode function: 0_2_00926747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00926747
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_00816283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00816283
              Source: C:\Users\user\AppData\Local\iodite\unfatigued.exeCode function: 2_2_00816747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00816747

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		2
              Valid Accounts              		2
              Native API              		111
              Scripting              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		21
              Input Capture              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol21
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts              		2
              Valid Accounts              		121
              Obfuscated Files or Information              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Scheduled Task/Job              		21
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS127
              System Information Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchd2
              Registry Run Keys / Startup Folder              		212
              Process Injection              		1
              Masquerading              		LSA Secrets341
              Security Software Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Scheduled Task/Job              		2
              Valid Accounts              		Cached Domain Credentials11
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
              Registry Run Keys / Startup Folder              		11
              Virtualization/Sandbox Evasion              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
              Access Token Manipulation              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1569120 Sample: Drawing&spec.scr.exe Startdate: 05/12/2024 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 8 other signatures 2->36 7 Drawing&spec.scr.exe 4 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 24 C:\Users\user\AppData\...\unfatigued.exe, PE32 7->24 dropped 38 Binary is likely a compiled AutoIt script file 7->38 40 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->40 13 unfatigued.exe 2 7->13         started        42 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->42 17 unfatigued.exe 1 11->17         started        signatures5 process6 file7 26 C:\Users\user\AppData\...\unfatigued.vbs, data 13->26 dropped 44 Multi AV Scanner detection for dropped file 13->44 46 Binary is likely a compiled AutoIt script file 13->46 48 Machine Learning detection for dropped file 13->48 56 2 other signatures 13->56 19 RegSvcs.exe 2 13->19         started        50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->50 52 Writes to foreign memory regions 17->52 54 Maps a DLL or memory area into another process 17->54 22 RegSvcs.exe 3 17->22         started        signatures8 process9 dnsIp10 28 69.174.100.131, 49704, 49766, 49828 ASN-QUADRANET-GLOBALUS United States 19->28

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Drawing&spec.scr.exe53%ReversingLabsWin32.Trojan.AutoitInject
              Drawing&spec.scr.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\iodite\unfatigued.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\iodite\unfatigued.exe53%ReversingLabsWin32.Trojan.AutoitInject

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              No contacted domains info

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              69.174.100.131
              		unknownUnited States
              		8100ASN-QUADRANET-GLOBALUStrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1569120
              Start date and time:2024-12-05 14:00:08 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 36s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:9
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Drawing&spec.scr.exe
              Detection:MAL
              Classification:mal100.troj.expl.evad.winEXE@10/7@0/1
              EGA Information:
              • Successful, ratio: 60%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 53
              • Number of non-executed functions: 278
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Execution Graph export aborted for target RegSvcs.exe, PID 1272 because it is empty
              • Execution Graph export aborted for target RegSvcs.exe, PID 2876 because it is empty
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: Drawing&spec.scr.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              14:01:09AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              ASN-QUADRANET-GLOBALUSmipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
              • 216.144.226.243
              sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
              • 23.163.68.178
              enmebest.docGet hashmaliciousUnknownBrowse
              • 66.63.187.231
              teste.i686.elfGet hashmaliciousMirai, Moobot, OkiruBrowse
              • 162.220.9.15
              sh4.elfGet hashmaliciousMiraiBrowse
              • 162.220.9.67
              pE7icjUisS.exeGet hashmaliciousAgentTeslaBrowse
              • 104.247.165.99
              RFQ 9-XTC-204-60THD.xlsx.exeGet hashmaliciousQuasarBrowse
              • 69.174.99.131
              quotation.exeGet hashmaliciousFormBookBrowse
              • 155.94.253.4
              Quote Qu11262024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
              • 66.63.187.246
              sora.sh4.elfGet hashmaliciousMiraiBrowse
              • 154.205.102.33

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

              Download File
              Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              File Type:CSV text
              Category:dropped
              Size (bytes):425
              Entropy (8bit):5.353683843266035
              Encrypted:false
              SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
              MD5:859802284B12C59DDBB85B0AC64C08F0
              SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
              SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
              SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
              Malicious:false
              Reputation:high, very likely benign file
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

              C:\Users\user\AppData\Local\Temp\aut9151.tmp

              Download File
              Process:C:\Users\user\Desktop\Drawing&spec.scr.exe
              File Type:data
              Category:dropped
              Size (bytes):40012
              Entropy (8bit):7.871659135370569
              Encrypted:false
              SSDEEP:768:dfgzg1Fk86rizIcKSXeSHDGr/HvsDdogzu5tDCxZTwHmSdhGMZK2MbOFsUVo:d4zqk8VeTPsJogzuLDCxWHpA+KlJCo
              MD5:DC15A62A9914552F15679242D35D5E30
              SHA1:E302D9C00DBCA360FBE1AFA8DD11D30CAB59E57B
              SHA-256:9230671566AB4D39B3267EB0696D7851320D0A69E75E79C70AD60889266AFF13
              SHA-512:6F1F52EE39E6F5C00A75EE812CA315F1E6923865160568C3AF0ED1ED8055A76E3226FB5EA45B5823FDD2AAE7DDDDCD27CA1BF97E0A490254DD128074CCF5D7DB
              Malicious:false
              Reputation:low
              Preview:EA06.......3j=..B......D..it..&mD..(S0.2.L..) .y....{`.2.,.M..j....A....z[2.L.2...G!....y,..i.Hl2..v.Q.X..(...$.U,.M........9...T....=._..;.Pf.......Q...G..9...Sp.L.(T.h.)I.Li.....Lj.0....x.P...%&SK.H@/.E.g^.L.d.G..."...9ut...b.......8.+......J.@.O.;T.~.&.{\...J...L....@.bv....).IL^s9....=..L............)3.]..,.J.U....N..&c..1..it..._...&b..aRi......@.).:qN....1:..;s....U.u....)P...-_.~....I..Al.%*..rW.V.]:qB.U.uzL.`....z.b...Q..*e&.W.....L..[.U.v..r....2....A.Z%...x.....@$r.C.U@....D..l5I.&\.L.f..E..g.R.5 .f.?.P.t..JyW..).:.#cR.Q(.*.6.8.Q..:7&KK.Mlr..p.,.I.\*..3a.Fn.j%....Y!SjM2.@.U.....9j.P..M.H....lT..>.l..#vI.".v....;..0.U@GK4~.B.]..#..3I.P.....Y`.S).......g.~.b.9.F)T*d..I..l.........U..H...y.......0....R....w....j.....H.....B...)g......&.....P.#..v.&.L..h.....Rg..&*.J.2.+.Nit....G.j......0.......3.X.....16...s.......'6...[3..).'.....+.)..0..Y.S.......6.dB.B.Q..i0..a..(5.W....Yk..."ea.Q(5+U......8.....\.....c..,..%&g....95..l.Kj`...i....9.fgN.X..

              C:\Users\user\AppData\Local\Temp\aut946E.tmp

              Download File
              Process:C:\Users\user\AppData\Local\iodite\unfatigued.exe
              File Type:data
              Category:dropped
              Size (bytes):40012
              Entropy (8bit):7.871659135370569
              Encrypted:false
              SSDEEP:768:dfgzg1Fk86rizIcKSXeSHDGr/HvsDdogzu5tDCxZTwHmSdhGMZK2MbOFsUVo:d4zqk8VeTPsJogzuLDCxWHpA+KlJCo
              MD5:DC15A62A9914552F15679242D35D5E30
              SHA1:E302D9C00DBCA360FBE1AFA8DD11D30CAB59E57B
              SHA-256:9230671566AB4D39B3267EB0696D7851320D0A69E75E79C70AD60889266AFF13
              SHA-512:6F1F52EE39E6F5C00A75EE812CA315F1E6923865160568C3AF0ED1ED8055A76E3226FB5EA45B5823FDD2AAE7DDDDCD27CA1BF97E0A490254DD128074CCF5D7DB
              Malicious:false
              Reputation:low
              Preview:EA06.......3j=..B......D..it..&mD..(S0.2.L..) .y....{`.2.,.M..j....A....z[2.L.2...G!....y,..i.Hl2..v.Q.X..(...$.U,.M........9...T....=._..;.Pf.......Q...G..9...Sp.L.(T.h.)I.Li.....Lj.0....x.P...%&SK.H@/.E.g^.L.d.G..."...9ut...b.......8.+......J.@.O.;T.~.&.{\...J...L....@.bv....).IL^s9....=..L............)3.]..,.J.U....N..&c..1..it..._...&b..aRi......@.).:qN....1:..;s....U.u....)P...-_.~....I..Al.%*..rW.V.]:qB.U.uzL.`....z.b...Q..*e&.W.....L..[.U.v..r....2....A.Z%...x.....@$r.C.U@....D..l5I.&\.L.f..E..g.R.5 .f.?.P.t..JyW..).:.#cR.Q(.*.6.8.Q..:7&KK.Mlr..p.,.I.\*..3a.Fn.j%....Y!SjM2.@.U.....9j.P..M.H....lT..>.l..#vI.".v....;..0.U@GK4~.B.]..#..3I.P.....Y`.S).......g.~.b.9.F)T*d..I..l.........U..H...y.......0....R....w....j.....H.....B...)g......&.....P.#..v.&.L..h.....Rg..&*.J.2.+.Nit....G.j......0.......3.X.....16...s.......'6...[3..).'.....+.)..0..Y.S.......6.dB.B.Q..i0..a..(5.W....Yk..."ea.Q(5+U......8.....\.....c..,..%&g....95..l.Kj`...i....9.fgN.X..

              C:\Users\user\AppData\Local\Temp\autC8EB.tmp

              Download File
              Process:C:\Users\user\AppData\Local\iodite\unfatigued.exe
              File Type:data
              Category:dropped
              Size (bytes):40012
              Entropy (8bit):7.871659135370569
              Encrypted:false
              SSDEEP:768:dfgzg1Fk86rizIcKSXeSHDGr/HvsDdogzu5tDCxZTwHmSdhGMZK2MbOFsUVo:d4zqk8VeTPsJogzuLDCxWHpA+KlJCo
              MD5:DC15A62A9914552F15679242D35D5E30
              SHA1:E302D9C00DBCA360FBE1AFA8DD11D30CAB59E57B
              SHA-256:9230671566AB4D39B3267EB0696D7851320D0A69E75E79C70AD60889266AFF13
              SHA-512:6F1F52EE39E6F5C00A75EE812CA315F1E6923865160568C3AF0ED1ED8055A76E3226FB5EA45B5823FDD2AAE7DDDDCD27CA1BF97E0A490254DD128074CCF5D7DB
              Malicious:false
              Reputation:low
              Preview:EA06.......3j=..B......D..it..&mD..(S0.2.L..) .y....{`.2.,.M..j....A....z[2.L.2...G!....y,..i.Hl2..v.Q.X..(...$.U,.M........9...T....=._..;.Pf.......Q...G..9...Sp.L.(T.h.)I.Li.....Lj.0....x.P...%&SK.H@/.E.g^.L.d.G..."...9ut...b.......8.+......J.@.O.;T.~.&.{\...J...L....@.bv....).IL^s9....=..L............)3.]..,.J.U....N..&c..1..it..._...&b..aRi......@.).:qN....1:..;s....U.u....)P...-_.~....I..Al.%*..rW.V.]:qB.U.uzL.`....z.b...Q..*e&.W.....L..[.U.v..r....2....A.Z%...x.....@$r.C.U@....D..l5I.&\.L.f..E..g.R.5 .f.?.P.t..JyW..).:.#cR.Q(.*.6.8.Q..:7&KK.Mlr..p.,.I.\*..3a.Fn.j%....Y!SjM2.@.U.....9j.P..M.H....lT..>.l..#vI.".v....;..0.U@GK4~.B.]..#..3I.P.....Y`.S).......g.~.b.9.F)T*d..I..l.........U..H...y.......0....R....w....j.....H.....B...)g......&.....P.#..v.&.L..h.....Rg..&*.J.2.+.Nit....G.j......0.......3.X.....16...s.......'6...[3..).'.....+.)..0..Y.S.......6.dB.B.Q..i0..a..(5.W....Yk..."ea.Q(5+U......8.....\.....c..,..%&g....95..l.Kj`...i....9.fgN.X..

              C:\Users\user\AppData\Local\Temp\intersentimental

              Download File
              Process:C:\Users\user\Desktop\Drawing&spec.scr.exe
              File Type:data
              Category:dropped
              Size (bytes):46080
              Entropy (8bit):6.701440322658133
              Encrypted:false
              SSDEEP:768:Fcy0wf3/pdpl/1phrhV2bZTAKrEgozIloqbLyAgMrnNwwO5cKxSE68MH6+WTcPpW:Kf+/z9nGTAKAgKGoq/ytMhwwnKYE68A0
              MD5:064C06CE3704AC5CE2D8EFEB296A9422
              SHA1:DCC706429D796903BCD7E77D41E5981BEFF878F4
              SHA-256:819CC43386C4EB72D4AE4E4EDCF9EB5F0A654DFE3B56B45C5F9A9D553BC9CC82
              SHA-512:423FDA98347DB0F083A74C758B8526119A87E0944A067503D380C504E3AD9A341C122F721F86BB75BB9AA2F1017D4BAD6C298BCBCC98E8FB1DCEF722919205DE
              Malicious:false
              Reputation:low
              Preview:.k.6GAXB7N8H..MD.9KJ1I6D.XB3N8HBLMDI9KJ1I6DAXB3N8HBLMDI9KJ1I.DAXL,.6H.E.e.8....^-2x2A!_:#!m'(W%%EiT!a*7]nQ&b...iT$.Tg;IK|B3N8HBL..I9.K2I..l=B3N8HBLM.I;JA0A6D.XB3D8HBLMDG.KJ1i6DA.B3N8.BLmDI9IJ1M6DAXB3N<HBLMDI9Kj0I6FAXB3N8JB..DI)KJ!I6DAHB3^8HBLMDY9KJ1I6DAXB3..HB.MDI9.J1.1DAXB3N8HBLMDI9KJ1I6D@XN3N8HBLMDI9KJ1I6DAXB3N8HBLMDI9KJ1I6DAXB3N8HBLMDI9KJ1I.DAPB3N8HBLMDI9Cj1I~DAXB3N8HBLMj=\3>1I6P.XB3n8HB.MDI;KJ1I6DAXB3N8HBlMD).99C*6DA.E3N8.BLMLI9K.1I6DAXB3N8HBLM.I9.dC,Z+"XB?N8HBLLDI;KJ1.6DAXB3N8HBLMDIyKJsI6DAXB3N8HBLMDI9..1I6DAX.3N8JBIM..9K.]I6GAXB2N8NBLMDI9KJ1I6DAXB3N8HBLMDI9KJ1I6DAXB3N8HBLMDI9KJ1I.._......[Nit.A.J..r._:.....t.g9dJmI6D_Zj+N8BhV3WI9O`/K.WAXF.TF\BLInW;.^1I2n[&W3N<b\N.QI9O`+7 DA\h-L.^BLInSG\J1M.ZC.U3N<bX2UDI=aT3..DA\h)0!HBHgZK.RJ1M.^?BB3J.R<WMDM.UH.R6DErXMR8HFfSF.%KJ5c,:\XB7d&J.QMDM.aH.w6DKN.0d.6ILM@JVtJ1C.j2@B3D.RBLIn..bJ1O.lAXB.d8HDvSDI9ca1I0~UXB3f.HBJwNI9Kb.I6Bx^B3N,`4LMNcoc.1I<7.XB9n.JBL".I9A`_7(DA\{#N8H<RMDMV.J1C"._XB7dF6MLM@a.KJ;p9DAXj.N8N{IMDI..J1O..3.g3>FXBLIl&9K@.j6DEr.@.8H

              C:\Users\user\AppData\Local\iodite\unfatigued.exe

              Download File
              Process:C:\Users\user\Desktop\Drawing&spec.scr.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):963584
              Entropy (8bit):6.844136552570977
              Encrypted:false
              SSDEEP:24576:uu6J33O0c+JY5UZ+XC0kGso6FauSnJzxWY:gu0c++OCvkGs9FauSaY
              MD5:3A43F4D6C1CE25BC8EFE548FA2B16BC7
              SHA1:E0B8080D2C241EE9C8D7D31ADB6ECC0FC43D0A0E
              SHA-256:4B5CC1E99D28651FBB693422C5D392C5D47DFA61C8EC4995197706DE5CB3442A
              SHA-512:3613B2AF89545273FB21C09889E02E477D86AC2E3F313FEC2A28FB68C9E94B39B3160B26D7637DCE1E5053808FFE14CB0AAD9DD0C404BBD6D4C8D7EA897E8072
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 53%
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L....Og.........."..................}............@.......................... .......,....@...@.......@.....................L...|....p..`+.......................q...+..............................pH..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...`+...p...,..................@..@.reloc...q.......r...B..............@..B........................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs

              Download File
              Process:C:\Users\user\AppData\Local\iodite\unfatigued.exe
              File Type:data
              Category:dropped
              Size (bytes):276
              Entropy (8bit):3.426105163804074
              Encrypted:false
              SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1MlHRDEQuFA6nriIM8lfQVn:DsO+vNlzQ1MlHVEQ14mA2n
              MD5:0D8CFA675F52AA13E7803D2E5CB07B13
              SHA1:0B6B19781497E3D9C44D5D34036832BA79D07B54
              SHA-256:5B924AEF8159030E1808A628135A016188B671E8365D6592176B3147D029447A
              SHA-512:4CC85A984529643D993A467D126925BF3E2C7AAFCC6CAAC44B49F61D41A370DFFA4D718FC767D0AAEFC999D8685A3D438D0B3C326F0AEA90810845A76A8BD668
              Malicious:true
              Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.i.o.d.i.t.e.\.u.n.f.a.t.i.g.u.e.d...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):6.844136552570977
              TrID:
              • Win32 Executable (generic) a (10002005/4) 99.96%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:Drawing&spec.scr.exe
              File size:963'584 bytes
              MD5:3a43f4d6c1ce25bc8efe548fa2b16bc7
              SHA1:e0b8080d2c241ee9c8d7d31adb6ecc0fc43d0a0e
              SHA256:4b5cc1e99d28651fbb693422c5d392c5d47dfa61c8ec4995197706de5cb3442a
              SHA512:3613b2af89545273fb21c09889e02e477d86ac2e3f313fec2a28fb68c9e94b39b3160b26d7637dce1e5053808ffe14cb0aad9dd0c404bbd6d4c8d7ea897e8072
              SSDEEP:24576:uu6J33O0c+JY5UZ+XC0kGso6FauSnJzxWY:gu0c++OCvkGs9FauSaY
              TLSH:9D25AE2273DDC360CB669133BF69B7016EBF3C614630B95B2F980D7DA950162262D7A3
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

              File Icon

              Icon Hash:aaf3e3e3938382a0

              Static PE Info

              General

              Entrypoint:0x427dcd
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
              Time Stamp:0x674FBECA [Wed Dec 4 02:30:34 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:1
              File Version Major:5
              File Version Minor:1
              Subsystem Version Major:5
              Subsystem Version Minor:1
              Import Hash:afcdf79be1557326c854b6e20cb900a7

              Entrypoint Preview

              Instruction
              call 00007F9810BB954Ah
              jmp 00007F9810BAC314h
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              int3
              push edi
              push esi
              mov esi, dword ptr [esp+10h]
              mov ecx, dword ptr [esp+14h]
              mov edi, dword ptr [esp+0Ch]
              mov eax, ecx
              mov edx, ecx
              add eax, esi
              cmp edi, esi
              jbe 00007F9810BAC49Ah
              cmp edi, eax
              jc 00007F9810BAC7FEh
              bt dword ptr [004C31FCh], 01h
              jnc 00007F9810BAC499h
              rep movsb
              jmp 00007F9810BAC7ACh
              cmp ecx, 00000080h
              jc 00007F9810BAC664h
              mov eax, edi
              xor eax, esi
              test eax, 0000000Fh
              jne 00007F9810BAC4A0h
              bt dword ptr [004BE324h], 01h
              jc 00007F9810BAC970h
              bt dword ptr [004C31FCh], 00000000h
              jnc 00007F9810BAC63Dh
              test edi, 00000003h
              jne 00007F9810BAC64Eh
              test esi, 00000003h
              jne 00007F9810BAC62Dh
              bt edi, 02h
              jnc 00007F9810BAC49Fh
              mov eax, dword ptr [esi]
              sub ecx, 04h
              lea esi, dword ptr [esi+04h]
              mov dword ptr [edi], eax
              lea edi, dword ptr [edi+04h]
              bt edi, 03h
              jnc 00007F9810BAC4A3h
              movq xmm1, qword ptr [esi]
              sub ecx, 08h
              lea esi, dword ptr [esi+08h]
              movq qword ptr [edi], xmm1
              lea edi, dword ptr [edi+08h]
              test esi, 00000007h
              je 00007F9810BAC4F5h
              bt esi, 03h
              jnc 00007F9810BAC548h

              Rich Headers

              Programming Language:
              • [ASM] VS2013 build 21005
              • [ C ] VS2013 build 21005
              • [C++] VS2013 build 21005
              • [ C ] VS2008 SP1 build 30729
              • [IMP] VS2008 SP1 build 30729
              • [ASM] VS2013 UPD4 build 31101
              • [RES] VS2013 build 21005
              • [LNK] VS2013 UPD4 build 31101

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x22b60.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0xea0000x711c.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0xc70000x22b600x22c00c3b349b1b457efe15bf52cb293256056False0.8110386690647482data7.569180054047332IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0xea0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
              RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
              RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
              RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
              RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
              RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
              RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
              RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
              RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
              RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
              RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
              RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
              RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
              RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
              RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
              RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
              RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
              RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
              RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
              RT_RCDATA0xcf7b80x19e27data1.0003867085443725
              RT_GROUP_ICON0xe95e00x76dataEnglishGreat Britain0.6610169491525424
              RT_GROUP_ICON0xe96580x14dataEnglishGreat Britain1.25
              RT_GROUP_ICON0xe966c0x14dataEnglishGreat Britain1.15
              RT_GROUP_ICON0xe96800x14dataEnglishGreat Britain1.25
              RT_VERSION0xe96940xdcdataEnglishGreat Britain0.6181818181818182
              RT_MANIFEST0xe97700x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

              Imports

              DLLImport
              WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
              VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
              COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
              MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
              WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
              PSAPI.DLLGetProcessMemoryInfo
              IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
              USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
              UxTheme.dllIsThemeActive
              KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
              USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
              GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
              COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
              ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
              SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
              ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
              OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishGreat Britain

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Dec 5, 2024 14:01:19.626641035 CET497046606192.168.2.569.174.100.131
              Dec 5, 2024 14:01:19.746577978 CET66064970469.174.100.131192.168.2.5
              Dec 5, 2024 14:01:19.746712923 CET497046606192.168.2.569.174.100.131
              Dec 5, 2024 14:01:19.762429953 CET497046606192.168.2.569.174.100.131
              Dec 5, 2024 14:01:19.884608984 CET66064970469.174.100.131192.168.2.5
              Dec 5, 2024 14:01:41.637454987 CET66064970469.174.100.131192.168.2.5
              Dec 5, 2024 14:01:41.637557030 CET497046606192.168.2.569.174.100.131
              Dec 5, 2024 14:01:46.654813051 CET497046606192.168.2.569.174.100.131
              Dec 5, 2024 14:01:46.655211926 CET497666606192.168.2.569.174.100.131
              Dec 5, 2024 14:01:46.774498940 CET66064970469.174.100.131192.168.2.5
              Dec 5, 2024 14:01:46.775074959 CET66064976669.174.100.131192.168.2.5
              Dec 5, 2024 14:01:46.775229931 CET497666606192.168.2.569.174.100.131
              Dec 5, 2024 14:01:46.775767088 CET497666606192.168.2.569.174.100.131
              Dec 5, 2024 14:01:46.895524979 CET66064976669.174.100.131192.168.2.5
              Dec 5, 2024 14:02:08.672199965 CET66064976669.174.100.131192.168.2.5
              Dec 5, 2024 14:02:08.672405958 CET497666606192.168.2.569.174.100.131
              Dec 5, 2024 14:02:13.684356928 CET497666606192.168.2.569.174.100.131
              Dec 5, 2024 14:02:13.684645891 CET498286606192.168.2.569.174.100.131
              Dec 5, 2024 14:02:13.804032087 CET66064976669.174.100.131192.168.2.5
              Dec 5, 2024 14:02:13.804364920 CET66064982869.174.100.131192.168.2.5
              Dec 5, 2024 14:02:13.804476023 CET498286606192.168.2.569.174.100.131
              Dec 5, 2024 14:02:13.804927111 CET498286606192.168.2.569.174.100.131
              Dec 5, 2024 14:02:13.924639940 CET66064982869.174.100.131192.168.2.5
              Dec 5, 2024 14:02:35.716546059 CET66064982869.174.100.131192.168.2.5
              Dec 5, 2024 14:02:35.716634989 CET498286606192.168.2.569.174.100.131
              Dec 5, 2024 14:02:40.731201887 CET498286606192.168.2.569.174.100.131
              Dec 5, 2024 14:02:40.731461048 CET498946606192.168.2.569.174.100.131
              Dec 5, 2024 14:02:40.851070881 CET66064982869.174.100.131192.168.2.5
              Dec 5, 2024 14:02:40.851330996 CET66064989469.174.100.131192.168.2.5
              Dec 5, 2024 14:02:40.851412058 CET498946606192.168.2.569.174.100.131
              Dec 5, 2024 14:02:40.851811886 CET498946606192.168.2.569.174.100.131
              Dec 5, 2024 14:02:40.971569061 CET66064989469.174.100.131192.168.2.5
              Dec 5, 2024 14:03:02.748455048 CET66064989469.174.100.131192.168.2.5
              Dec 5, 2024 14:03:02.748522043 CET498946606192.168.2.569.174.100.131
              Dec 5, 2024 14:03:07.788526058 CET498946606192.168.2.569.174.100.131
              Dec 5, 2024 14:03:07.789324999 CET499556606192.168.2.569.174.100.131
              Dec 5, 2024 14:03:07.908381939 CET66064989469.174.100.131192.168.2.5
              Dec 5, 2024 14:03:07.909049034 CET66064995569.174.100.131192.168.2.5
              Dec 5, 2024 14:03:07.909195900 CET499556606192.168.2.569.174.100.131
              Dec 5, 2024 14:03:07.909540892 CET499556606192.168.2.569.174.100.131
              Dec 5, 2024 14:03:08.029330969 CET66064995569.174.100.131192.168.2.5

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:08:01:04
              Start date:05/12/2024
              Path:C:\Users\user\Desktop\Drawing&spec.scr.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\Drawing&spec.scr.exe"
              Imagebase:0x8b0000
              File size:963'584 bytes
              MD5 hash:3A43F4D6C1CE25BC8EFE548FA2B16BC7
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:08:01:05
              Start date:05/12/2024
              Path:C:\Users\user\AppData\Local\iodite\unfatigued.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\Drawing&spec.scr.exe"
              Imagebase:0x7a0000
              File size:963'584 bytes
              MD5 hash:3A43F4D6C1CE25BC8EFE548FA2B16BC7
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000002.2115887481.0000000001EA0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 53%, ReversingLabs
              Reputation:low
              Has exited:true

              General

              Target ID:3
              Start time:08:01:05
              Start date:05/12/2024
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\Drawing&spec.scr.exe"
              Imagebase:0xa10000
              File size:45'984 bytes
              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:false

              General

              Target ID:4
              Start time:08:01:17
              Start date:05/12/2024
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unfatigued.vbs"
              Imagebase:0x7ff606320000
              File size:170'496 bytes
              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:5
              Start time:08:01:18
              Start date:05/12/2024
              Path:C:\Users\user\AppData\Local\iodite\unfatigued.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\iodite\unfatigued.exe"
              Imagebase:0x7a0000
              File size:963'584 bytes
              MD5 hash:3A43F4D6C1CE25BC8EFE548FA2B16BC7
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000005.00000002.2250816594.0000000000790000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
              Reputation:low
              Has exited:true

              General

              Target ID:6
              Start time:08:01:19
              Start date:05/12/2024
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\iodite\unfatigued.exe"
              Imagebase:0x160000
              File size:45'984 bytes
              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000006.00000002.2361002914.0000000000532000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:3.1%
                Dynamic/Decrypted Code Coverage:0.4%
                Signature Coverage:4.6%
                Total number of Nodes:2000
                Total number of Limit Nodes:150
                execution_graph 104338 8f416f 104342 905fe6 104338->104342 104340 8f417a 104341 905fe6 85 API calls 104340->104341 104341->104340 104347 906020 104342->104347 104350 905ff3 104342->104350 104343 906022 104381 8b9328 84 API calls Mailbox 104343->104381 104344 906027 104353 8b9837 104344->104353 104347->104340 104350->104343 104350->104344 104350->104347 104351 90601a 104350->104351 104380 8b95a0 59 API calls _wcsstr 104351->104380 104354 8b9851 104353->104354 104363 8b984b 104353->104363 104355 8b9857 __itow 104354->104355 104356 8b9899 104354->104356 104358 8ef4da 104354->104358 104361 8ef5d3 __i64tow 104354->104361 104382 8d0db6 104355->104382 104396 8d3698 83 API calls 3 library calls 104356->104396 104364 8d0db6 Mailbox 59 API calls 104358->104364 104369 8ef552 Mailbox _wcscpy 104358->104369 104362 8b9871 104362->104363 104392 8b7de1 104362->104392 104371 8b7b2e 104363->104371 104366 8ef51f 104364->104366 104367 8d0db6 Mailbox 59 API calls 104366->104367 104368 8ef545 104367->104368 104368->104369 104370 8b7de1 59 API calls 104368->104370 104397 8d3698 83 API calls 3 library calls 104369->104397 104370->104369 104372 8eec6b 104371->104372 104373 8b7b40 104371->104373 104432 907bdb 59 API calls _memmove 104372->104432 104426 8b7a51 104373->104426 104376 8eec75 104433 8b8047 104376->104433 104377 8b7b4c 104377->104347 104379 8eec7d Mailbox 104380->104347 104381->104344 104384 8d0dbe 104382->104384 104385 8d0dd8 104384->104385 104387 8d0ddc std::exception::exception 104384->104387 104398 8d571c 104384->104398 104415 8d33a1 DecodePointer 104384->104415 104385->104362 104416 8d859b RaiseException 104387->104416 104389 8d0e06 104417 8d84d1 58 API calls _free 104389->104417 104391 8d0e18 104391->104362 104393 8b7df0 __wsetenvp _memmove 104392->104393 104394 8d0db6 Mailbox 59 API calls 104393->104394 104395 8b7e2e 104394->104395 104395->104363 104396->104355 104397->104361 104399 8d5797 104398->104399 104403 8d5728 104398->104403 104424 8d33a1 DecodePointer 104399->104424 104401 8d579d 104425 8d8b28 58 API calls __getptd_noexit 104401->104425 104405 8d5733 104403->104405 104406 8d575b RtlAllocateHeap 104403->104406 104409 8d5783 104403->104409 104413 8d5781 104403->104413 104421 8d33a1 DecodePointer 104403->104421 104405->104403 104418 8da16b 58 API calls __NMSG_WRITE 104405->104418 104419 8da1c8 58 API calls 6 library calls 104405->104419 104420 8d309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104405->104420 104406->104403 104407 8d578f 104406->104407 104407->104384 104422 8d8b28 58 API calls __getptd_noexit 104409->104422 104423 8d8b28 58 API calls __getptd_noexit 104413->104423 104415->104384 104416->104389 104417->104391 104418->104405 104419->104405 104421->104403 104422->104413 104423->104407 104424->104401 104425->104407 104427 8b7a5f 104426->104427 104431 8b7a85 _memmove 104426->104431 104428 8d0db6 Mailbox 59 API calls 104427->104428 104427->104431 104429 8b7ad4 104428->104429 104430 8d0db6 Mailbox 59 API calls 104429->104430 104430->104431 104431->104377 104432->104376 104434 8b805a 104433->104434 104435 8b8052 104433->104435 104434->104379 104437 8b7f77 104435->104437 104438 8b7f9a _memmove 104437->104438 104439 8b7f87 104437->104439 104438->104434 104439->104438 104440 8d0db6 Mailbox 59 API calls 104439->104440 104440->104438 104441 8efdfc 104472 8bab30 Mailbox _memmove 104441->104472 104445 8d0db6 59 API calls Mailbox 104445->104472 104447 8bb525 104581 919e4a 89 API calls 4 library calls 104447->104581 104449 8f0055 104580 919e4a 89 API calls 4 library calls 104449->104580 104452 8bb475 104458 8b8047 59 API calls 104452->104458 104454 8d0db6 59 API calls Mailbox 104470 8b9f37 Mailbox 104454->104470 104455 8f0064 104463 8ba057 104458->104463 104459 8bb47a 104459->104449 104469 8f09e5 104459->104469 104460 8b8047 59 API calls 104460->104470 104462 8b7667 59 API calls 104462->104470 104464 906e8f 59 API calls 104464->104470 104465 8d2d40 67 API calls __cinit 104465->104470 104466 8b7de1 59 API calls 104466->104472 104467 8f09d6 104586 919e4a 89 API calls 4 library calls 104467->104586 104587 919e4a 89 API calls 4 library calls 104469->104587 104470->104449 104470->104452 104470->104454 104470->104459 104470->104460 104470->104462 104470->104463 104470->104464 104470->104465 104470->104467 104471 8ba55a 104470->104471 104545 8bc8c0 331 API calls 2 library calls 104470->104545 104546 8bb900 60 API calls Mailbox 104470->104546 104585 919e4a 89 API calls 4 library calls 104471->104585 104472->104445 104472->104447 104472->104463 104472->104466 104472->104470 104475 8bb2b6 104472->104475 104478 8f086a 104472->104478 104480 8f0878 104472->104480 104482 8f085c 104472->104482 104483 8bb21c 104472->104483 104487 906e8f 59 API calls 104472->104487 104492 932141 104472->104492 104530 92df23 104472->104530 104533 92445a 104472->104533 104542 92df37 104472->104542 104547 8b9ea0 104472->104547 104571 8b9c90 59 API calls Mailbox 104472->104571 104575 92c193 85 API calls 2 library calls 104472->104575 104576 92c2e0 96 API calls Mailbox 104472->104576 104577 917956 59 API calls Mailbox 104472->104577 104578 92bc6b 331 API calls Mailbox 104472->104578 104579 90617e 59 API calls Mailbox 104472->104579 104574 8bf6a3 331 API calls 104475->104574 104583 8b9c90 59 API calls Mailbox 104478->104583 104584 919e4a 89 API calls 4 library calls 104480->104584 104482->104463 104582 90617e 59 API calls Mailbox 104482->104582 104572 8b9d3c 60 API calls Mailbox 104483->104572 104485 8bb22d 104573 8b9d3c 60 API calls Mailbox 104485->104573 104487->104472 104588 8b7667 104492->104588 104495 8b9837 84 API calls 104496 932167 104495->104496 104593 8b7a16 104496->104593 104499 8b9837 84 API calls 104500 932187 104499->104500 104501 9321a1 104500->104501 104502 932215 104500->104502 104617 8b9b3c 59 API calls 104501->104617 104504 8b9837 84 API calls 104502->104504 104506 93221a 104504->104506 104505 9321a6 104507 932204 104505->104507 104512 9321bd 104505->104512 104508 932246 104506->104508 104509 932228 104506->104509 104631 8b9a98 59 API calls Mailbox 104507->104631 104510 93225b 104508->104510 104633 8b9b3c 59 API calls 104508->104633 104632 8b9a98 59 API calls Mailbox 104509->104632 104515 932270 104510->104515 104634 8b9b3c 59 API calls 104510->104634 104618 8b784b 104512->104618 104518 8b7f77 59 API calls 104515->104518 104521 93228a 104518->104521 104519 9321ca 104520 8b7b2e 59 API calls 104519->104520 104522 9321d8 104520->104522 104598 90f401 104521->104598 104524 8b784b 59 API calls 104522->104524 104525 9321f1 104524->104525 104526 8b7b2e 59 API calls 104525->104526 104529 9321ff 104526->104529 104527 932211 Mailbox 104527->104472 104635 8b9a3c 59 API calls Mailbox 104529->104635 104657 92cadd 104530->104657 104532 92df33 104532->104472 104534 8b9837 84 API calls 104533->104534 104535 924494 104534->104535 104759 8b6240 104535->104759 104537 9244a4 104538 8b9ea0 331 API calls 104537->104538 104539 9244c9 104537->104539 104538->104539 104541 9244cd 104539->104541 104784 8b9a98 59 API calls Mailbox 104539->104784 104541->104472 104543 92cadd 130 API calls 104542->104543 104544 92df47 104543->104544 104544->104472 104545->104470 104546->104470 104548 8b9ebf 104547->104548 104568 8b9eed Mailbox 104547->104568 104549 8d0db6 Mailbox 59 API calls 104548->104549 104549->104568 104550 8bb475 104551 8b8047 59 API calls 104550->104551 104567 8ba057 104551->104567 104552 8bb47a 104554 8f09e5 104552->104554 104555 8f0055 104552->104555 104553 8d0db6 59 API calls Mailbox 104553->104568 104804 919e4a 89 API calls 4 library calls 104554->104804 104801 919e4a 89 API calls 4 library calls 104555->104801 104556 8b7667 59 API calls 104556->104568 104558 8ba55a 104802 919e4a 89 API calls 4 library calls 104558->104802 104561 8b8047 59 API calls 104561->104568 104562 8f0064 104562->104472 104563 8d2d40 67 API calls __cinit 104563->104568 104566 906e8f 59 API calls 104566->104568 104567->104472 104568->104550 104568->104552 104568->104553 104568->104555 104568->104556 104568->104558 104568->104561 104568->104563 104568->104566 104568->104567 104569 8f09d6 104568->104569 104799 8bc8c0 331 API calls 2 library calls 104568->104799 104800 8bb900 60 API calls Mailbox 104568->104800 104803 919e4a 89 API calls 4 library calls 104569->104803 104571->104472 104572->104485 104573->104475 104574->104447 104575->104472 104576->104472 104577->104472 104578->104472 104579->104472 104580->104455 104581->104482 104582->104463 104583->104482 104584->104482 104585->104463 104586->104469 104587->104463 104589 8d0db6 Mailbox 59 API calls 104588->104589 104590 8b7688 104589->104590 104591 8d0db6 Mailbox 59 API calls 104590->104591 104592 8b7696 104591->104592 104592->104495 104594 8d0db6 Mailbox 59 API calls 104593->104594 104595 8b7a3b 104594->104595 104636 8b8029 104595->104636 104599 8b7667 59 API calls 104598->104599 104600 90f414 104599->104600 104601 8b7a16 59 API calls 104600->104601 104602 90f428 104601->104602 104606 90f44a 104602->104606 104639 90f167 104602->104639 104605 90f167 61 API calls 104605->104606 104606->104605 104608 8b784b 59 API calls 104606->104608 104612 8b7b2e 59 API calls 104606->104612 104615 90f4c4 104606->104615 104607 8b784b 59 API calls 104607->104606 104608->104606 104609 8b784b 59 API calls 104610 90f4dd 104609->104610 104611 8b7b2e 59 API calls 104610->104611 104613 90f4e9 104611->104613 104612->104606 104614 8b7f77 59 API calls 104613->104614 104616 90f4f8 Mailbox 104613->104616 104614->104616 104615->104609 104616->104529 104617->104505 104619 8b785a 104618->104619 104620 8b78b7 104618->104620 104619->104620 104622 8b7865 104619->104622 104649 8b7d2c 104620->104649 104623 8eeb09 104622->104623 104624 8b7880 104622->104624 104625 8b8029 59 API calls 104623->104625 104648 8b7f27 59 API calls Mailbox 104624->104648 104627 8eeb13 104625->104627 104629 8d0db6 Mailbox 59 API calls 104627->104629 104628 8b7888 _memmove 104628->104519 104630 8eeb33 104629->104630 104631->104527 104632->104527 104633->104510 104634->104515 104635->104527 104637 8d0db6 Mailbox 59 API calls 104636->104637 104638 8b7a4a 104637->104638 104638->104499 104640 90f192 __wsetenvp 104639->104640 104641 90f1d1 104640->104641 104644 90f1c7 104640->104644 104645 90f278 104640->104645 104641->104606 104641->104607 104644->104641 104646 8b78c4 61 API calls 104644->104646 104645->104641 104647 8b78c4 61 API calls 104645->104647 104646->104644 104647->104645 104648->104628 104650 8b7d3a 104649->104650 104652 8b7d43 _memmove 104649->104652 104650->104652 104653 8b7e4f 104650->104653 104652->104628 104654 8b7e62 104653->104654 104656 8b7e5f _memmove 104653->104656 104655 8d0db6 Mailbox 59 API calls 104654->104655 104655->104656 104656->104652 104658 8b9837 84 API calls 104657->104658 104659 92cb1a 104658->104659 104663 92cb61 Mailbox 104659->104663 104695 92d7a5 104659->104695 104661 92cf2e 104745 92d8c8 92 API calls Mailbox 104661->104745 104663->104532 104665 92cf3d 104666 92cdc7 104665->104666 104667 92cf49 104665->104667 104708 92c96e 104666->104708 104667->104663 104668 8b9837 84 API calls 104673 92cbb2 Mailbox 104668->104673 104673->104663 104673->104668 104682 92cdb9 104673->104682 104727 92fbce 59 API calls 2 library calls 104673->104727 104728 92cfdf 61 API calls 2 library calls 104673->104728 104674 92ce00 104723 8d0c08 104674->104723 104677 92ce33 104730 8b92ce 104677->104730 104678 92ce1a 104729 919e4a 89 API calls 4 library calls 104678->104729 104681 92ce25 GetCurrentProcess TerminateProcess 104681->104677 104682->104661 104682->104666 104687 92cfa4 104687->104663 104689 92cfb8 FreeLibrary 104687->104689 104688 92ce6b 104742 92d649 107 API calls _free 104688->104742 104689->104663 104694 92ce7c 104694->104687 104743 8b8d40 59 API calls Mailbox 104694->104743 104744 8b9d3c 60 API calls Mailbox 104694->104744 104746 92d649 107 API calls _free 104694->104746 104696 8b7e4f 59 API calls 104695->104696 104697 92d7c0 CharLowerBuffW 104696->104697 104698 90f167 61 API calls 104697->104698 104699 92d7e1 104698->104699 104702 8b7667 59 API calls 104699->104702 104707 92d81c Mailbox 104699->104707 104701 92d858 Mailbox 104701->104673 104703 92d7f9 104702->104703 104704 8b784b 59 API calls 104703->104704 104705 92d810 104704->104705 104706 8b7d2c 59 API calls 104705->104706 104706->104707 104707->104701 104747 92cfdf 61 API calls 2 library calls 104707->104747 104709 92c9de 104708->104709 104710 92c989 104708->104710 104714 92da50 104709->104714 104711 8d0db6 Mailbox 59 API calls 104710->104711 104713 92c9ab 104711->104713 104712 8d0db6 Mailbox 59 API calls 104712->104713 104713->104709 104713->104712 104715 92dc79 Mailbox 104714->104715 104719 92da73 _strcat _wcscpy __wsetenvp 104714->104719 104715->104674 104716 8b9b3c 59 API calls 104716->104719 104717 8b9b98 59 API calls 104717->104719 104718 8b9be6 59 API calls 104718->104719 104719->104715 104719->104716 104719->104717 104719->104718 104720 8d571c 58 API calls __malloc_crt 104719->104720 104721 8b9837 84 API calls 104719->104721 104748 915887 61 API calls 2 library calls 104719->104748 104720->104719 104721->104719 104724 8d0c1d 104723->104724 104725 8d0cb5 VirtualProtect 104724->104725 104726 8d0c83 104724->104726 104725->104726 104726->104677 104726->104678 104727->104673 104728->104673 104729->104681 104731 8b92d6 104730->104731 104732 8d0db6 Mailbox 59 API calls 104731->104732 104733 8b92e4 104732->104733 104734 8b92f0 104733->104734 104749 8b91fc 59 API calls Mailbox 104733->104749 104736 8b9050 104734->104736 104750 8b9160 104736->104750 104738 8b905f 104739 8d0db6 Mailbox 59 API calls 104738->104739 104740 8b90fb 104738->104740 104739->104740 104740->104694 104741 8b8d40 59 API calls Mailbox 104740->104741 104741->104688 104742->104694 104743->104694 104744->104694 104745->104665 104746->104694 104747->104701 104748->104719 104749->104734 104751 8b9169 Mailbox 104750->104751 104752 8ef19f 104751->104752 104757 8b9173 104751->104757 104753 8d0db6 Mailbox 59 API calls 104752->104753 104755 8ef1ab 104753->104755 104754 8b917a 104754->104738 104757->104754 104758 8b9c90 59 API calls Mailbox 104757->104758 104758->104757 104760 8b7a16 59 API calls 104759->104760 104778 8b6265 104760->104778 104761 8b646a 104787 8b750f 104761->104787 104763 8b6484 Mailbox 104763->104537 104766 8edff6 104797 90f8aa 91 API calls 4 library calls 104766->104797 104767 8b7d8c 59 API calls 104767->104778 104769 8b6799 _memmove 104798 90f8aa 91 API calls 4 library calls 104769->104798 104771 8b750f 59 API calls 104771->104778 104773 8ee004 104774 8b750f 59 API calls 104773->104774 104775 8ee01a 104774->104775 104775->104763 104776 8edf92 104777 8b8029 59 API calls 104776->104777 104779 8edf9d 104777->104779 104778->104761 104778->104766 104778->104767 104778->104769 104778->104771 104778->104776 104781 8b7e4f 59 API calls 104778->104781 104785 8b5f6c 60 API calls 104778->104785 104786 8b5d41 59 API calls Mailbox 104778->104786 104795 8b5e72 60 API calls 104778->104795 104796 8b7924 59 API calls 2 library calls 104778->104796 104783 8d0db6 Mailbox 59 API calls 104779->104783 104782 8b643b CharUpperBuffW 104781->104782 104782->104778 104783->104769 104784->104541 104785->104778 104786->104778 104788 8b75af 104787->104788 104789 8b7522 _memmove 104787->104789 104791 8d0db6 Mailbox 59 API calls 104788->104791 104790 8d0db6 Mailbox 59 API calls 104789->104790 104793 8b7529 104790->104793 104791->104789 104792 8b7552 104792->104763 104793->104792 104794 8d0db6 Mailbox 59 API calls 104793->104794 104794->104792 104795->104778 104796->104778 104797->104773 104798->104763 104799->104568 104800->104568 104801->104562 104802->104567 104803->104554 104804->104567 104805 8b107d 104810 8b708b 104805->104810 104807 8b108c 104841 8d2d40 104807->104841 104811 8b709b __write_nolock 104810->104811 104812 8b7667 59 API calls 104811->104812 104813 8b7151 104812->104813 104844 8b4706 104813->104844 104815 8b715a 104851 8d050b 104815->104851 104822 8b7667 59 API calls 104823 8b718b 104822->104823 104870 8b7d8c 104823->104870 104825 8b7194 RegOpenKeyExW 104826 8ee8b1 RegQueryValueExW 104825->104826 104830 8b71b6 Mailbox 104825->104830 104827 8ee8ce 104826->104827 104828 8ee943 RegCloseKey 104826->104828 104829 8d0db6 Mailbox 59 API calls 104827->104829 104828->104830 104840 8ee955 _wcscat Mailbox __wsetenvp 104828->104840 104831 8ee8e7 104829->104831 104830->104807 104874 8b522e 104831->104874 104832 8b79f2 59 API calls 104832->104840 104835 8ee90f 104877 8b7bcc 104835->104877 104837 8ee929 104837->104828 104838 8b7de1 59 API calls 104838->104840 104839 8b3f74 59 API calls 104839->104840 104840->104830 104840->104832 104840->104838 104840->104839 104908 8d2c44 104841->104908 104843 8b1096 104886 8e1940 104844->104886 104847 8b7de1 59 API calls 104848 8b4739 104847->104848 104888 8b4750 104848->104888 104850 8b4743 Mailbox 104850->104815 104852 8e1940 __write_nolock 104851->104852 104853 8d0518 GetFullPathNameW 104852->104853 104854 8d053a 104853->104854 104855 8b7bcc 59 API calls 104854->104855 104856 8b7165 104855->104856 104857 8b7cab 104856->104857 104858 8eed4a 104857->104858 104859 8b7cbf 104857->104859 104861 8b8029 59 API calls 104858->104861 104902 8b7c50 104859->104902 104863 8eed55 __wsetenvp _memmove 104861->104863 104862 8b7173 104864 8b3f74 104862->104864 104865 8b3f82 104864->104865 104869 8b3fa4 _memmove 104864->104869 104868 8d0db6 Mailbox 59 API calls 104865->104868 104866 8d0db6 Mailbox 59 API calls 104867 8b3fb8 104866->104867 104867->104822 104868->104869 104869->104866 104871 8b7da6 104870->104871 104873 8b7d99 104870->104873 104872 8d0db6 Mailbox 59 API calls 104871->104872 104872->104873 104873->104825 104875 8d0db6 Mailbox 59 API calls 104874->104875 104876 8b5240 RegQueryValueExW 104875->104876 104876->104835 104876->104837 104878 8b7bd8 __wsetenvp 104877->104878 104879 8b7c45 104877->104879 104882 8b7bee 104878->104882 104883 8b7c13 104878->104883 104880 8b7d2c 59 API calls 104879->104880 104881 8b7bf6 _memmove 104880->104881 104881->104837 104907 8b7f27 59 API calls Mailbox 104882->104907 104885 8b8029 59 API calls 104883->104885 104885->104881 104887 8b4713 GetModuleFileNameW 104886->104887 104887->104847 104889 8e1940 __write_nolock 104888->104889 104890 8b475d GetFullPathNameW 104889->104890 104891 8b4799 104890->104891 104892 8b477c 104890->104892 104893 8b7d8c 59 API calls 104891->104893 104894 8b7bcc 59 API calls 104892->104894 104895 8b4788 104893->104895 104894->104895 104898 8b7726 104895->104898 104899 8b7734 104898->104899 104900 8b7d2c 59 API calls 104899->104900 104901 8b4794 104900->104901 104901->104850 104903 8b7c5f __wsetenvp 104902->104903 104904 8b7c70 _memmove 104903->104904 104905 8b8029 59 API calls 104903->104905 104904->104862 104906 8eed07 _memmove 104905->104906 104907->104881 104909 8d2c50 __close 104908->104909 104916 8d3217 104909->104916 104915 8d2c77 __close 104915->104843 104933 8d9c0b 104916->104933 104918 8d2c59 104919 8d2c88 DecodePointer DecodePointer 104918->104919 104920 8d2cb5 104919->104920 104921 8d2c65 104919->104921 104920->104921 104979 8d87a4 59 API calls __cftof2_l 104920->104979 104930 8d2c82 104921->104930 104923 8d2d18 EncodePointer EncodePointer 104923->104921 104924 8d2cc7 104924->104923 104925 8d2cec 104924->104925 104980 8d8864 61 API calls 2 library calls 104924->104980 104925->104921 104928 8d2d06 EncodePointer 104925->104928 104981 8d8864 61 API calls 2 library calls 104925->104981 104928->104923 104929 8d2d00 104929->104921 104929->104928 104982 8d3220 104930->104982 104934 8d9c1c 104933->104934 104935 8d9c2f EnterCriticalSection 104933->104935 104940 8d9c93 104934->104940 104935->104918 104937 8d9c22 104937->104935 104964 8d30b5 58 API calls 3 library calls 104937->104964 104941 8d9c9f __close 104940->104941 104942 8d9ca8 104941->104942 104943 8d9cc0 104941->104943 104965 8da16b 58 API calls __NMSG_WRITE 104942->104965 104952 8d9ce1 __close 104943->104952 104968 8d881d 58 API calls 2 library calls 104943->104968 104945 8d9cad 104966 8da1c8 58 API calls 6 library calls 104945->104966 104948 8d9cd5 104950 8d9cdc 104948->104950 104951 8d9ceb 104948->104951 104949 8d9cb4 104967 8d309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104949->104967 104969 8d8b28 58 API calls __getptd_noexit 104950->104969 104953 8d9c0b __lock 58 API calls 104951->104953 104952->104937 104956 8d9cf2 104953->104956 104958 8d9cff 104956->104958 104959 8d9d17 104956->104959 104970 8d9e2b InitializeCriticalSectionAndSpinCount 104958->104970 104971 8d2d55 104959->104971 104962 8d9d0b 104977 8d9d33 LeaveCriticalSection _doexit 104962->104977 104965->104945 104966->104949 104968->104948 104969->104952 104970->104962 104972 8d2d5e RtlFreeHeap 104971->104972 104973 8d2d87 __dosmaperr 104971->104973 104972->104973 104974 8d2d73 104972->104974 104973->104962 104978 8d8b28 58 API calls __getptd_noexit 104974->104978 104976 8d2d79 GetLastError 104976->104973 104977->104952 104978->104976 104979->104924 104980->104925 104981->104929 104985 8d9d75 LeaveCriticalSection 104982->104985 104984 8d2c87 104984->104915 104985->104984 104986 8b3633 104987 8b366a 104986->104987 104988 8b36e5 104987->104988 104989 8b3688 104987->104989 104990 8b36e7 104987->104990 104991 8b36ca DefWindowProcW 104988->104991 104994 8b374b PostQuitMessage 104989->104994 104995 8b3695 104989->104995 104992 8ed0cc 104990->104992 104993 8b36ed 104990->104993 104996 8b36d8 104991->104996 105035 8c1070 10 API calls Mailbox 104992->105035 104997 8b36f2 104993->104997 104998 8b3715 SetTimer RegisterWindowMessageW 104993->104998 104994->104996 105000 8ed154 104995->105000 105001 8b36a0 104995->105001 105003 8ed06f 104997->105003 105004 8b36f9 KillTimer 104997->105004 104998->104996 105006 8b373e CreatePopupMenu 104998->105006 105051 912527 71 API calls _memset 105000->105051 105007 8b36a8 105001->105007 105008 8b3755 105001->105008 105013 8ed0a8 MoveWindow 105003->105013 105014 8ed074 105003->105014 105031 8b443a Shell_NotifyIconW _memset 105004->105031 105005 8ed0f3 105036 8c1093 331 API calls Mailbox 105005->105036 105006->104996 105009 8ed139 105007->105009 105010 8b36b3 105007->105010 105033 8b44a0 64 API calls _memset 105008->105033 105009->104991 105050 907c36 59 API calls Mailbox 105009->105050 105017 8b36be 105010->105017 105018 8ed124 105010->105018 105011 8ed166 105011->104991 105011->104996 105013->104996 105020 8ed078 105014->105020 105021 8ed097 SetFocus 105014->105021 105017->104991 105037 8b443a Shell_NotifyIconW _memset 105017->105037 105049 912d36 81 API calls _memset 105018->105049 105019 8b3764 105019->104996 105020->105017 105023 8ed081 105020->105023 105021->104996 105022 8b370c 105032 8b3114 DeleteObject DestroyWindow Mailbox 105022->105032 105034 8c1070 10 API calls Mailbox 105023->105034 105029 8ed118 105038 8b434a 105029->105038 105031->105022 105032->104996 105033->105019 105034->104996 105035->105005 105036->105017 105037->105029 105039 8b4375 _memset 105038->105039 105052 8b4182 105039->105052 105042 8b43fa 105044 8b4430 Shell_NotifyIconW 105042->105044 105045 8b4414 Shell_NotifyIconW 105042->105045 105046 8b4422 105044->105046 105045->105046 105056 8b407c 105046->105056 105048 8b4429 105048->104988 105049->105019 105050->104988 105051->105011 105053 8ed423 105052->105053 105054 8b4196 105052->105054 105053->105054 105055 8ed42c DestroyIcon 105053->105055 105054->105042 105078 912f94 62 API calls _W_store_winword 105054->105078 105055->105054 105057 8b4098 105056->105057 105058 8b416f Mailbox 105056->105058 105059 8b7a16 59 API calls 105057->105059 105058->105048 105060 8b40a6 105059->105060 105061 8ed3c8 LoadStringW 105060->105061 105062 8b40b3 105060->105062 105065 8ed3e2 105061->105065 105063 8b7bcc 59 API calls 105062->105063 105064 8b40c8 105063->105064 105064->105065 105066 8b40d9 105064->105066 105067 8b7b2e 59 API calls 105065->105067 105068 8b40e3 105066->105068 105069 8b4174 105066->105069 105072 8ed3ec 105067->105072 105071 8b7b2e 59 API calls 105068->105071 105070 8b8047 59 API calls 105069->105070 105075 8b40ed _memset _wcscpy 105070->105075 105071->105075 105073 8b7cab 59 API calls 105072->105073 105072->105075 105074 8ed40e 105073->105074 105076 8b7cab 59 API calls 105074->105076 105077 8b4155 Shell_NotifyIconW 105075->105077 105076->105075 105077->105058 105078->105042 105079 8d7c56 105080 8d7c62 __close 105079->105080 105116 8d9e08 GetStartupInfoW 105080->105116 105082 8d7c67 105118 8d8b7c GetProcessHeap 105082->105118 105084 8d7cbf 105085 8d7cca 105084->105085 105201 8d7da6 58 API calls 3 library calls 105084->105201 105119 8d9ae6 105085->105119 105088 8d7cd0 105089 8d7cdb __RTC_Initialize 105088->105089 105202 8d7da6 58 API calls 3 library calls 105088->105202 105140 8dd5d2 105089->105140 105092 8d7cea 105093 8d7cf6 GetCommandLineW 105092->105093 105203 8d7da6 58 API calls 3 library calls 105092->105203 105159 8e4f23 GetEnvironmentStringsW 105093->105159 105096 8d7cf5 105096->105093 105099 8d7d10 105102 8d7d1b 105099->105102 105204 8d30b5 58 API calls 3 library calls 105099->105204 105169 8e4d58 105102->105169 105103 8d7d21 105104 8d7d2c 105103->105104 105205 8d30b5 58 API calls 3 library calls 105103->105205 105183 8d30ef 105104->105183 105107 8d7d34 105108 8d7d3f __wwincmdln 105107->105108 105206 8d30b5 58 API calls 3 library calls 105107->105206 105189 8b47d0 105108->105189 105111 8d7d53 105112 8d7d62 105111->105112 105207 8d3358 58 API calls _doexit 105111->105207 105208 8d30e0 58 API calls _doexit 105112->105208 105115 8d7d67 __close 105117 8d9e1e 105116->105117 105117->105082 105118->105084 105209 8d3187 36 API calls 2 library calls 105119->105209 105121 8d9aeb 105210 8d9d3c InitializeCriticalSectionAndSpinCount __mtinitlocknum 105121->105210 105123 8d9af0 105124 8d9af4 105123->105124 105212 8d9d8a TlsAlloc 105123->105212 105211 8d9b5c 61 API calls 2 library calls 105124->105211 105127 8d9af9 105127->105088 105128 8d9b06 105128->105124 105129 8d9b11 105128->105129 105213 8d87d5 105129->105213 105132 8d9b53 105221 8d9b5c 61 API calls 2 library calls 105132->105221 105135 8d9b58 105135->105088 105136 8d9b32 105136->105132 105137 8d9b38 105136->105137 105220 8d9a33 58 API calls 4 library calls 105137->105220 105139 8d9b40 GetCurrentThreadId 105139->105088 105141 8dd5de __close 105140->105141 105142 8d9c0b __lock 58 API calls 105141->105142 105143 8dd5e5 105142->105143 105144 8d87d5 __calloc_crt 58 API calls 105143->105144 105147 8dd5f6 105144->105147 105145 8dd601 __close @_EH4_CallFilterFunc@8 105145->105092 105146 8dd661 GetStartupInfoW 105152 8dd676 105146->105152 105154 8dd7a5 105146->105154 105147->105145 105147->105146 105148 8dd86d 105235 8dd87d LeaveCriticalSection _doexit 105148->105235 105150 8d87d5 __calloc_crt 58 API calls 105150->105152 105151 8dd7f2 GetStdHandle 105151->105154 105152->105150 105152->105154 105156 8dd6c4 105152->105156 105153 8dd805 GetFileType 105153->105154 105154->105148 105154->105151 105154->105153 105234 8d9e2b InitializeCriticalSectionAndSpinCount 105154->105234 105155 8dd6f8 GetFileType 105155->105156 105156->105154 105156->105155 105233 8d9e2b InitializeCriticalSectionAndSpinCount 105156->105233 105160 8d7d06 105159->105160 105161 8e4f34 105159->105161 105165 8e4b1b GetModuleFileNameW 105160->105165 105236 8d881d 58 API calls 2 library calls 105161->105236 105163 8e4f5a _memmove 105164 8e4f70 FreeEnvironmentStringsW 105163->105164 105164->105160 105166 8e4b4f _wparse_cmdline 105165->105166 105168 8e4b8f _wparse_cmdline 105166->105168 105237 8d881d 58 API calls 2 library calls 105166->105237 105168->105099 105170 8e4d69 105169->105170 105171 8e4d71 __wsetenvp 105169->105171 105170->105103 105172 8d87d5 __calloc_crt 58 API calls 105171->105172 105176 8e4d9a __wsetenvp 105172->105176 105173 8e4df1 105174 8d2d55 _free 58 API calls 105173->105174 105174->105170 105175 8d87d5 __calloc_crt 58 API calls 105175->105176 105176->105170 105176->105173 105176->105175 105177 8e4e16 105176->105177 105180 8e4e2d 105176->105180 105238 8e4607 58 API calls __cftof2_l 105176->105238 105178 8d2d55 _free 58 API calls 105177->105178 105178->105170 105239 8d8dc6 IsProcessorFeaturePresent 105180->105239 105182 8e4e39 105182->105103 105185 8d30fb __IsNonwritableInCurrentImage 105183->105185 105262 8da4d1 105185->105262 105186 8d3119 __initterm_e 105187 8d2d40 __cinit 67 API calls 105186->105187 105188 8d3138 _doexit __IsNonwritableInCurrentImage 105186->105188 105187->105188 105188->105107 105190 8b47ea 105189->105190 105200 8b4889 105189->105200 105191 8b4824 IsThemeActive 105190->105191 105265 8d336c 105191->105265 105195 8b4850 105277 8b48fd SystemParametersInfoW SystemParametersInfoW 105195->105277 105197 8b485c 105278 8b3b3a 105197->105278 105199 8b4864 SystemParametersInfoW 105199->105200 105200->105111 105201->105085 105202->105089 105203->105096 105207->105112 105208->105115 105209->105121 105210->105123 105211->105127 105212->105128 105214 8d87dc 105213->105214 105216 8d8817 105214->105216 105218 8d87fa 105214->105218 105222 8e51f6 105214->105222 105216->105132 105219 8d9de6 TlsSetValue 105216->105219 105218->105214 105218->105216 105230 8da132 Sleep 105218->105230 105219->105136 105220->105139 105221->105135 105223 8e5201 105222->105223 105228 8e521c 105222->105228 105224 8e520d 105223->105224 105223->105228 105231 8d8b28 58 API calls __getptd_noexit 105224->105231 105226 8e522c HeapAlloc 105227 8e5212 105226->105227 105226->105228 105227->105214 105228->105226 105228->105227 105232 8d33a1 DecodePointer 105228->105232 105230->105218 105231->105227 105232->105228 105233->105156 105234->105154 105235->105145 105236->105163 105237->105168 105238->105176 105240 8d8dd1 105239->105240 105245 8d8c59 105240->105245 105244 8d8dec 105244->105182 105246 8d8c73 _memset ___raise_securityfailure 105245->105246 105247 8d8c93 IsDebuggerPresent 105246->105247 105253 8da155 SetUnhandledExceptionFilter UnhandledExceptionFilter 105247->105253 105250 8d8d57 ___raise_securityfailure 105254 8dc5f6 105250->105254 105251 8d8d7a 105252 8da140 GetCurrentProcess TerminateProcess 105251->105252 105252->105244 105253->105250 105255 8dc5fe 105254->105255 105256 8dc600 IsProcessorFeaturePresent 105254->105256 105255->105251 105258 8e590a 105256->105258 105261 8e58b9 5 API calls ___raise_securityfailure 105258->105261 105260 8e59ed 105260->105251 105261->105260 105263 8da4d4 EncodePointer 105262->105263 105263->105263 105264 8da4ee 105263->105264 105264->105186 105266 8d9c0b __lock 58 API calls 105265->105266 105267 8d3377 DecodePointer EncodePointer 105266->105267 105330 8d9d75 LeaveCriticalSection 105267->105330 105269 8b4849 105270 8d33d4 105269->105270 105271 8d33de 105270->105271 105272 8d33f8 105270->105272 105271->105272 105331 8d8b28 58 API calls __getptd_noexit 105271->105331 105272->105195 105274 8d33e8 105332 8d8db6 9 API calls __cftof2_l 105274->105332 105276 8d33f3 105276->105195 105277->105197 105279 8b3b47 __write_nolock 105278->105279 105280 8b7667 59 API calls 105279->105280 105281 8b3b51 GetCurrentDirectoryW 105280->105281 105333 8b3766 105281->105333 105283 8b3b7a IsDebuggerPresent 105284 8b3b88 105283->105284 105285 8ed272 MessageBoxA 105283->105285 105286 8b3c61 105284->105286 105288 8ed28c 105284->105288 105289 8b3ba5 105284->105289 105285->105288 105287 8b3c68 SetCurrentDirectoryW 105286->105287 105292 8b3c75 Mailbox 105287->105292 105532 8b7213 59 API calls Mailbox 105288->105532 105414 8b7285 105289->105414 105292->105199 105293 8ed29c 105298 8ed2b2 SetCurrentDirectoryW 105293->105298 105295 8b3bc3 GetFullPathNameW 105296 8b7bcc 59 API calls 105295->105296 105297 8b3bfe 105296->105297 105430 8c092d 105297->105430 105298->105292 105301 8b3c1c 105302 8b3c26 105301->105302 105533 90874b AllocateAndInitializeSid CheckTokenMembership FreeSid 105301->105533 105446 8b3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 105302->105446 105305 8ed2cf 105305->105302 105309 8ed2e0 105305->105309 105308 8b3c30 105310 8b3c43 105308->105310 105313 8b434a 68 API calls 105308->105313 105311 8b4706 61 API calls 105309->105311 105454 8c09d0 105310->105454 105312 8ed2e8 105311->105312 105315 8b7de1 59 API calls 105312->105315 105313->105310 105317 8ed2f5 105315->105317 105316 8b3c4e 105316->105286 105531 8b443a Shell_NotifyIconW _memset 105316->105531 105318 8ed2ff 105317->105318 105319 8ed324 105317->105319 105321 8b7cab 59 API calls 105318->105321 105322 8b7cab 59 API calls 105319->105322 105323 8ed30a 105321->105323 105324 8ed320 GetForegroundWindow ShellExecuteW 105322->105324 105325 8b7b2e 59 API calls 105323->105325 105328 8ed354 Mailbox 105324->105328 105327 8ed317 105325->105327 105329 8b7cab 59 API calls 105327->105329 105328->105286 105329->105324 105330->105269 105331->105274 105332->105276 105334 8b7667 59 API calls 105333->105334 105335 8b377c 105334->105335 105534 8b3d31 105335->105534 105337 8b379a 105338 8b4706 61 API calls 105337->105338 105339 8b37ae 105338->105339 105340 8b7de1 59 API calls 105339->105340 105341 8b37bb 105340->105341 105548 8b4ddd 105341->105548 105344 8b37dc Mailbox 105349 8b8047 59 API calls 105344->105349 105345 8ed173 105604 91955b 105345->105604 105348 8ed192 105351 8d2d55 _free 58 API calls 105348->105351 105352 8b37ef 105349->105352 105353 8ed19f 105351->105353 105572 8b928a 105352->105572 105355 8b4e4a 84 API calls 105353->105355 105357 8ed1a8 105355->105357 105361 8b3ed0 59 API calls 105357->105361 105358 8b7de1 59 API calls 105359 8b3808 105358->105359 105575 8b84c0 105359->105575 105363 8ed1c3 105361->105363 105362 8b381a Mailbox 105364 8b7de1 59 API calls 105362->105364 105365 8b3ed0 59 API calls 105363->105365 105366 8b3840 105364->105366 105367 8ed1df 105365->105367 105368 8b84c0 69 API calls 105366->105368 105369 8b4706 61 API calls 105367->105369 105371 8b384f Mailbox 105368->105371 105370 8ed204 105369->105370 105372 8b3ed0 59 API calls 105370->105372 105374 8b7667 59 API calls 105371->105374 105373 8ed210 105372->105373 105375 8b8047 59 API calls 105373->105375 105376 8b386d 105374->105376 105377 8ed21e 105375->105377 105579 8b3ed0 105376->105579 105379 8b3ed0 59 API calls 105377->105379 105381 8ed22d 105379->105381 105387 8b8047 59 API calls 105381->105387 105383 8b3887 105383->105357 105384 8b3891 105383->105384 105385 8d2efd _W_store_winword 60 API calls 105384->105385 105386 8b389c 105385->105386 105386->105363 105388 8b38a6 105386->105388 105389 8ed24f 105387->105389 105390 8d2efd _W_store_winword 60 API calls 105388->105390 105391 8b3ed0 59 API calls 105389->105391 105392 8b38b1 105390->105392 105393 8ed25c 105391->105393 105392->105367 105394 8b38bb 105392->105394 105393->105393 105395 8d2efd _W_store_winword 60 API calls 105394->105395 105396 8b38c6 105395->105396 105396->105381 105397 8b3907 105396->105397 105399 8b3ed0 59 API calls 105396->105399 105397->105381 105398 8b3914 105397->105398 105400 8b92ce 59 API calls 105398->105400 105401 8b38ea 105399->105401 105402 8b3924 105400->105402 105403 8b8047 59 API calls 105401->105403 105404 8b9050 59 API calls 105402->105404 105405 8b38f8 105403->105405 105406 8b3932 105404->105406 105407 8b3ed0 59 API calls 105405->105407 105595 8b8ee0 105406->105595 105407->105397 105409 8b928a 59 API calls 105411 8b394f 105409->105411 105410 8b8ee0 60 API calls 105410->105411 105411->105409 105411->105410 105412 8b3ed0 59 API calls 105411->105412 105413 8b3995 Mailbox 105411->105413 105412->105411 105413->105283 105415 8b7292 __write_nolock 105414->105415 105416 8b72ab 105415->105416 105417 8eea22 _memset 105415->105417 105418 8b4750 60 API calls 105416->105418 105419 8eea3e GetOpenFileNameW 105417->105419 105420 8b72b4 105418->105420 105421 8eea8d 105419->105421 106375 8d0791 105420->106375 105423 8b7bcc 59 API calls 105421->105423 105425 8eeaa2 105423->105425 105425->105425 105427 8b72c9 106393 8b686a 105427->106393 105431 8c093a __write_nolock 105430->105431 106623 8b6d80 105431->106623 105433 8c093f 105445 8b3c14 105433->105445 106634 8c119e 89 API calls 105433->106634 105435 8c094c 105435->105445 106635 8c3ee7 91 API calls Mailbox 105435->106635 105437 8c0955 105438 8c0959 GetFullPathNameW 105437->105438 105437->105445 105439 8b7bcc 59 API calls 105438->105439 105440 8c0985 105439->105440 105441 8b7bcc 59 API calls 105440->105441 105442 8c0992 105441->105442 105443 8f4cab _wcscat 105442->105443 105444 8b7bcc 59 API calls 105442->105444 105444->105445 105445->105293 105445->105301 105447 8b3ab0 LoadImageW RegisterClassExW 105446->105447 105448 8ed261 105446->105448 106637 8b3041 7 API calls 105447->106637 106638 8b47a0 LoadImageW EnumResourceNamesW 105448->106638 105451 8b3b34 105453 8b39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 105451->105453 105452 8ed26a 105453->105308 105455 8f4cc3 105454->105455 105457 8c09f5 105454->105457 106695 919e4a 89 API calls 4 library calls 105455->106695 105529 8c0a05 Mailbox 105457->105529 106696 8b9e5d 60 API calls 105457->106696 106697 906349 331 API calls 105457->106697 105458 8c0ce4 105459 8c0cfa 105458->105459 106692 8c1070 10 API calls Mailbox 105458->106692 105459->105316 105462 8c0ee4 105462->105459 105463 8c0ef1 105462->105463 105464 8c0a4b PeekMessageW 105464->105529 105468 8f4e81 Sleep 105468->105529 105473 8f4d50 TranslateAcceleratorW 105476 8c0e43 PeekMessageW 105473->105476 105473->105529 105474 8b9e5d 60 API calls 105474->105529 105475 8c0ea5 TranslateMessage DispatchMessageW 105475->105476 105476->105529 105477 8c0d13 timeGetTime 105477->105529 105478 8f581f WaitForSingleObject 105480 8f583c GetExitCodeProcess CloseHandle 105478->105480 105478->105529 105514 8c0f95 105480->105514 105481 8c0e5f Sleep 105516 8c0e70 Mailbox 105481->105516 105482 8b8047 59 API calls 105482->105529 105483 8b7667 59 API calls 105483->105516 105484 8d0db6 59 API calls Mailbox 105484->105529 105485 8f5af8 Sleep 105485->105516 105487 8d049f timeGetTime 105487->105516 105489 8c0f4e timeGetTime 106694 8b9e5d 60 API calls 105489->106694 105492 8b9837 84 API calls 105492->105529 105493 8f5b8f GetExitCodeProcess 105498 8f5bbb CloseHandle 105493->105498 105499 8f5ba5 WaitForSingleObject 105493->105499 105496 935f25 110 API calls 105496->105516 105497 8bb7dd 109 API calls 105497->105516 105498->105516 105499->105498 105499->105529 105500 8f5874 105500->105514 105501 8f5c17 Sleep 105501->105529 105502 8f5078 Sleep 105502->105529 105504 8b7de1 59 API calls 105504->105516 105509 8b9ea0 304 API calls 105509->105529 105513 8b7de1 59 API calls 105513->105529 105514->105316 105516->105483 105516->105487 105516->105493 105516->105496 105516->105497 105516->105500 105516->105501 105516->105502 105516->105504 105516->105514 105516->105529 106704 912408 60 API calls 105516->106704 106705 8b9e5d 60 API calls 105516->106705 106706 8b89b3 69 API calls Mailbox 105516->106706 106707 8bb73c 331 API calls 105516->106707 106708 9064da 60 API calls 105516->106708 106709 915244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 105516->106709 106710 913c55 66 API calls Mailbox 105516->106710 105517 919e4a 89 API calls 105517->105529 105519 8b89b3 69 API calls 105519->105529 105520 8b9c90 59 API calls Mailbox 105520->105529 105521 90617e 59 API calls Mailbox 105521->105529 105523 8b84c0 69 API calls 105523->105529 105524 8f55d5 VariantClear 105524->105529 105525 906e8f 59 API calls 105525->105529 105526 8f566b VariantClear 105526->105529 105527 8b8cd4 59 API calls Mailbox 105527->105529 105528 8f5419 VariantClear 105528->105529 105529->105458 105529->105464 105529->105468 105529->105473 105529->105474 105529->105475 105529->105476 105529->105477 105529->105478 105529->105481 105529->105482 105529->105484 105529->105485 105529->105489 105529->105492 105529->105509 105529->105513 105529->105514 105529->105516 105529->105517 105529->105519 105529->105520 105529->105521 105529->105523 105529->105524 105529->105525 105529->105526 105529->105527 105529->105528 105530 8bb73c 304 API calls 105529->105530 106639 8be6a0 105529->106639 106670 8bf460 105529->106670 106689 8be420 331 API calls 105529->106689 106690 8bfce0 331 API calls 2 library calls 105529->106690 106691 8b31ce IsDialogMessageW GetClassLongW 105529->106691 106698 936018 59 API calls 105529->106698 106699 919a15 59 API calls Mailbox 105529->106699 106700 90d4f2 59 API calls 105529->106700 106701 9060ef 59 API calls 2 library calls 105529->106701 106702 8b8401 59 API calls 105529->106702 106703 8b82df 59 API calls Mailbox 105529->106703 105530->105529 105531->105286 105532->105293 105533->105305 105535 8b3d3e __write_nolock 105534->105535 105536 8b7bcc 59 API calls 105535->105536 105542 8b3ea4 Mailbox 105535->105542 105538 8b3d70 105536->105538 105545 8b3da6 Mailbox 105538->105545 105645 8b79f2 105538->105645 105539 8b79f2 59 API calls 105539->105545 105540 8b3e77 105541 8b7de1 59 API calls 105540->105541 105540->105542 105544 8b3e98 105541->105544 105542->105337 105543 8b7de1 59 API calls 105543->105545 105546 8b3f74 59 API calls 105544->105546 105545->105539 105545->105540 105545->105542 105545->105543 105547 8b3f74 59 API calls 105545->105547 105546->105542 105547->105545 105648 8b4bb5 105548->105648 105553 8b4e08 LoadLibraryExW 105658 8b4b6a 105553->105658 105554 8ed8e6 105556 8b4e4a 84 API calls 105554->105556 105557 8ed8ed 105556->105557 105559 8b4b6a 3 API calls 105557->105559 105561 8ed8f5 105559->105561 105684 8b4f0b 105561->105684 105562 8b4e2f 105562->105561 105563 8b4e3b 105562->105563 105565 8b4e4a 84 API calls 105563->105565 105567 8b37d4 105565->105567 105567->105344 105567->105345 105569 8ed91c 105692 8b4ec7 105569->105692 105571 8ed929 105573 8d0db6 Mailbox 59 API calls 105572->105573 105574 8b37fb 105573->105574 105574->105358 105576 8b84cb 105575->105576 105578 8b84f2 105576->105578 106119 8b89b3 69 API calls Mailbox 105576->106119 105578->105362 105580 8b3eda 105579->105580 105581 8b3ef3 105579->105581 105583 8b8047 59 API calls 105580->105583 105582 8b7bcc 59 API calls 105581->105582 105584 8b3879 105582->105584 105583->105584 105585 8d2efd 105584->105585 105586 8d2f7e 105585->105586 105587 8d2f09 105585->105587 106122 8d2f90 60 API calls 3 library calls 105586->106122 105594 8d2f2e 105587->105594 106120 8d8b28 58 API calls __getptd_noexit 105587->106120 105589 8d2f8b 105589->105383 105591 8d2f15 106121 8d8db6 9 API calls __cftof2_l 105591->106121 105593 8d2f20 105593->105383 105594->105383 105596 8ef17c 105595->105596 105599 8b8ef7 105595->105599 105596->105599 106124 8b8bdb 59 API calls Mailbox 105596->106124 105598 8b8fff 105598->105411 105599->105598 105600 8b8ff8 105599->105600 105601 8b9040 105599->105601 105602 8d0db6 Mailbox 59 API calls 105600->105602 106123 8b9d3c 60 API calls Mailbox 105601->106123 105602->105598 105605 8b4ee5 85 API calls 105604->105605 105606 9195ca 105605->105606 106125 919734 105606->106125 105609 8ed186 105609->105348 105639 8b4e4a 105609->105639 105610 8b4f0b 74 API calls 105611 9195f7 105610->105611 105612 8b4f0b 74 API calls 105611->105612 105613 919607 105612->105613 105614 8b4f0b 74 API calls 105613->105614 105615 919622 105614->105615 105616 8b4f0b 74 API calls 105615->105616 105617 91963d 105616->105617 105618 8b4ee5 85 API calls 105617->105618 105619 919654 105618->105619 105620 8d571c __malloc_crt 58 API calls 105619->105620 105621 91965b 105620->105621 105622 8d571c __malloc_crt 58 API calls 105621->105622 105623 919665 105622->105623 105624 8b4f0b 74 API calls 105623->105624 105625 919679 105624->105625 105626 919109 GetSystemTimeAsFileTime 105625->105626 105627 91968c 105626->105627 105628 9196a1 105627->105628 105629 9196b6 105627->105629 105630 8d2d55 _free 58 API calls 105628->105630 105631 91971b 105629->105631 105632 9196bc 105629->105632 105634 9196a7 105630->105634 105633 8d2d55 _free 58 API calls 105631->105633 106131 918b06 105632->106131 105633->105609 105636 8d2d55 _free 58 API calls 105634->105636 105636->105609 105638 8d2d55 _free 58 API calls 105638->105609 105640 8b4e54 105639->105640 105641 8b4e5b 105639->105641 105642 8d53a6 __fcloseall 83 API calls 105640->105642 105643 8b4e7b FreeLibrary 105641->105643 105644 8b4e6a 105641->105644 105642->105641 105643->105644 105644->105348 105646 8b7e4f 59 API calls 105645->105646 105647 8b79fd 105646->105647 105647->105538 105697 8b4c03 105648->105697 105651 8b4bdc 105653 8b4bec FreeLibrary 105651->105653 105654 8b4bf5 105651->105654 105652 8b4c03 2 API calls 105652->105651 105653->105654 105655 8d525b 105654->105655 105701 8d5270 105655->105701 105657 8b4dfc 105657->105553 105657->105554 105859 8b4c36 105658->105859 105661 8b4baa 105665 8b4c70 105661->105665 105662 8b4ba1 FreeLibrary 105662->105661 105663 8b4c36 2 API calls 105664 8b4b8f 105663->105664 105664->105661 105664->105662 105666 8d0db6 Mailbox 59 API calls 105665->105666 105667 8b4c85 105666->105667 105668 8b522e 59 API calls 105667->105668 105669 8b4c91 _memmove 105668->105669 105670 8b4ccc 105669->105670 105671 8b4d89 105669->105671 105672 8b4dc1 105669->105672 105673 8b4ec7 69 API calls 105670->105673 105863 8b4e89 CreateStreamOnHGlobal 105671->105863 105874 91991b 95 API calls 105672->105874 105680 8b4cd5 105673->105680 105676 8b4f0b 74 API calls 105676->105680 105678 8b4d69 105678->105562 105679 8ed8a7 105681 8b4ee5 85 API calls 105679->105681 105680->105676 105680->105678 105680->105679 105869 8b4ee5 105680->105869 105682 8ed8bb 105681->105682 105683 8b4f0b 74 API calls 105682->105683 105683->105678 105685 8ed9cd 105684->105685 105686 8b4f1d 105684->105686 105898 8d55e2 105686->105898 105689 919109 106096 918f5f 105689->106096 105691 91911f 105691->105569 105693 8b4ed6 105692->105693 105694 8ed990 105692->105694 106101 8d5c60 105693->106101 105696 8b4ede 105696->105571 105698 8b4bd0 105697->105698 105699 8b4c0c LoadLibraryA 105697->105699 105698->105651 105698->105652 105699->105698 105700 8b4c1d GetProcAddress 105699->105700 105700->105698 105703 8d527c __close 105701->105703 105702 8d528f 105750 8d8b28 58 API calls __getptd_noexit 105702->105750 105703->105702 105705 8d52c0 105703->105705 105720 8e04e8 105705->105720 105706 8d5294 105751 8d8db6 9 API calls __cftof2_l 105706->105751 105709 8d52c5 105710 8d52ce 105709->105710 105711 8d52db 105709->105711 105752 8d8b28 58 API calls __getptd_noexit 105710->105752 105713 8d5305 105711->105713 105714 8d52e5 105711->105714 105735 8e0607 105713->105735 105753 8d8b28 58 API calls __getptd_noexit 105714->105753 105717 8d529f __close @_EH4_CallFilterFunc@8 105717->105657 105721 8e04f4 __close 105720->105721 105722 8d9c0b __lock 58 API calls 105721->105722 105733 8e0502 105722->105733 105723 8e057d 105760 8d881d 58 API calls 2 library calls 105723->105760 105724 8e0576 105755 8e05fe 105724->105755 105727 8e0584 105727->105724 105761 8d9e2b InitializeCriticalSectionAndSpinCount 105727->105761 105728 8e05f3 __close 105728->105709 105730 8d9c93 __mtinitlocknum 58 API calls 105730->105733 105732 8e05aa EnterCriticalSection 105732->105724 105733->105723 105733->105724 105733->105730 105758 8d6c50 59 API calls __lock 105733->105758 105759 8d6cba LeaveCriticalSection LeaveCriticalSection _doexit 105733->105759 105736 8e0627 __wopenfile 105735->105736 105737 8e0641 105736->105737 105749 8e07fc 105736->105749 105768 8d37cb 60 API calls 2 library calls 105736->105768 105766 8d8b28 58 API calls __getptd_noexit 105737->105766 105739 8e0646 105767 8d8db6 9 API calls __cftof2_l 105739->105767 105741 8e085f 105763 8e85a1 105741->105763 105743 8d5310 105754 8d5332 LeaveCriticalSection LeaveCriticalSection _fprintf 105743->105754 105745 8e07f5 105745->105749 105769 8d37cb 60 API calls 2 library calls 105745->105769 105747 8e0814 105747->105749 105770 8d37cb 60 API calls 2 library calls 105747->105770 105749->105737 105749->105741 105750->105706 105751->105717 105752->105717 105753->105717 105754->105717 105762 8d9d75 LeaveCriticalSection 105755->105762 105757 8e0605 105757->105728 105758->105733 105759->105733 105760->105727 105761->105732 105762->105757 105771 8e7d85 105763->105771 105765 8e85ba 105765->105743 105766->105739 105767->105743 105768->105745 105769->105747 105770->105749 105772 8e7d91 __close 105771->105772 105773 8e7da7 105772->105773 105776 8e7ddd 105772->105776 105856 8d8b28 58 API calls __getptd_noexit 105773->105856 105775 8e7dac 105857 8d8db6 9 API calls __cftof2_l 105775->105857 105782 8e7e4e 105776->105782 105779 8e7df9 105858 8e7e22 LeaveCriticalSection __unlock_fhandle 105779->105858 105781 8e7db6 __close 105781->105765 105783 8e7e6e 105782->105783 105784 8d44ea __wsopen_nolock 58 API calls 105783->105784 105787 8e7e8a 105784->105787 105785 8d8dc6 __invoke_watson 8 API calls 105786 8e85a0 105785->105786 105789 8e7d85 __wsopen_helper 103 API calls 105786->105789 105788 8e7ec4 105787->105788 105795 8e7ee7 105787->105795 105804 8e7fc1 105787->105804 105790 8d8af4 __close 58 API calls 105788->105790 105791 8e85ba 105789->105791 105792 8e7ec9 105790->105792 105791->105779 105793 8d8b28 __cftof2_l 58 API calls 105792->105793 105794 8e7ed6 105793->105794 105797 8d8db6 __cftof2_l 9 API calls 105794->105797 105796 8e7fa5 105795->105796 105805 8e7f83 105795->105805 105798 8d8af4 __close 58 API calls 105796->105798 105799 8e7ee0 105797->105799 105800 8e7faa 105798->105800 105799->105779 105801 8d8b28 __cftof2_l 58 API calls 105800->105801 105802 8e7fb7 105801->105802 105803 8d8db6 __cftof2_l 9 API calls 105802->105803 105803->105804 105804->105785 105806 8dd294 __alloc_osfhnd 61 API calls 105805->105806 105807 8e8051 105806->105807 105808 8e807e 105807->105808 105809 8e805b 105807->105809 105811 8e7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105808->105811 105810 8d8af4 __close 58 API calls 105809->105810 105812 8e8060 105810->105812 105819 8e80a0 105811->105819 105813 8d8b28 __cftof2_l 58 API calls 105812->105813 105816 8e806a 105813->105816 105814 8e811e GetFileType 105817 8e816b 105814->105817 105818 8e8129 GetLastError 105814->105818 105815 8e80ec GetLastError 105820 8d8b07 __dosmaperr 58 API calls 105815->105820 105821 8d8b28 __cftof2_l 58 API calls 105816->105821 105827 8dd52a __set_osfhnd 59 API calls 105817->105827 105822 8d8b07 __dosmaperr 58 API calls 105818->105822 105819->105814 105819->105815 105823 8e7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105819->105823 105824 8e8111 105820->105824 105821->105799 105825 8e8150 CloseHandle 105822->105825 105826 8e80e1 105823->105826 105829 8d8b28 __cftof2_l 58 API calls 105824->105829 105825->105824 105828 8e815e 105825->105828 105826->105814 105826->105815 105833 8e8189 105827->105833 105830 8d8b28 __cftof2_l 58 API calls 105828->105830 105829->105804 105831 8e8163 105830->105831 105831->105824 105832 8e8344 105832->105804 105835 8e8517 CloseHandle 105832->105835 105833->105832 105834 8e18c1 __lseeki64_nolock 60 API calls 105833->105834 105842 8e820a 105833->105842 105836 8e81f3 105834->105836 105837 8e7cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105835->105837 105839 8d8af4 __close 58 API calls 105836->105839 105836->105842 105838 8e853e 105837->105838 105840 8e8572 105838->105840 105841 8e8546 GetLastError 105838->105841 105839->105842 105840->105804 105843 8d8b07 __dosmaperr 58 API calls 105841->105843 105842->105832 105844 8e0add __close_nolock 61 API calls 105842->105844 105845 8e0e5b 70 API calls __read_nolock 105842->105845 105846 8e823c 105842->105846 105850 8dd886 __write 78 API calls 105842->105850 105851 8e83c1 105842->105851 105854 8e18c1 60 API calls __lseeki64_nolock 105842->105854 105847 8e8552 105843->105847 105844->105842 105845->105842 105846->105842 105849 8e97a2 __chsize_nolock 82 API calls 105846->105849 105848 8dd43d __free_osfhnd 59 API calls 105847->105848 105848->105840 105849->105846 105850->105842 105852 8e0add __close_nolock 61 API calls 105851->105852 105853 8e83c8 105852->105853 105855 8d8b28 __cftof2_l 58 API calls 105853->105855 105854->105842 105855->105804 105856->105775 105857->105781 105858->105781 105860 8b4b83 105859->105860 105861 8b4c3f LoadLibraryA 105859->105861 105860->105663 105860->105664 105861->105860 105862 8b4c50 GetProcAddress 105861->105862 105862->105860 105864 8b4ea3 FindResourceExW 105863->105864 105865 8b4ec0 105863->105865 105864->105865 105866 8ed933 LoadResource 105864->105866 105865->105670 105866->105865 105867 8ed948 SizeofResource 105866->105867 105867->105865 105868 8ed95c LockResource 105867->105868 105868->105865 105870 8b4ef4 105869->105870 105873 8ed9ab 105869->105873 105875 8d584d 105870->105875 105872 8b4f02 105872->105680 105874->105670 105876 8d5859 __close 105875->105876 105877 8d586b 105876->105877 105879 8d5891 105876->105879 105888 8d8b28 58 API calls __getptd_noexit 105877->105888 105890 8d6c11 105879->105890 105880 8d5870 105889 8d8db6 9 API calls __cftof2_l 105880->105889 105883 8d5897 105896 8d57be 83 API calls 5 library calls 105883->105896 105885 8d58a6 105897 8d58c8 LeaveCriticalSection LeaveCriticalSection _fprintf 105885->105897 105887 8d587b __close 105887->105872 105888->105880 105889->105887 105891 8d6c21 105890->105891 105892 8d6c43 EnterCriticalSection 105890->105892 105891->105892 105894 8d6c29 105891->105894 105893 8d6c39 105892->105893 105893->105883 105895 8d9c0b __lock 58 API calls 105894->105895 105895->105893 105896->105885 105897->105887 105901 8d55fd 105898->105901 105900 8b4f2e 105900->105689 105902 8d5609 __close 105901->105902 105903 8d564c 105902->105903 105904 8d561f _memset 105902->105904 105905 8d5644 __close 105902->105905 105906 8d6c11 __lock_file 59 API calls 105903->105906 105928 8d8b28 58 API calls __getptd_noexit 105904->105928 105905->105900 105907 8d5652 105906->105907 105914 8d541d 105907->105914 105910 8d5639 105929 8d8db6 9 API calls __cftof2_l 105910->105929 105915 8d5453 105914->105915 105918 8d5438 _memset 105914->105918 105930 8d5686 LeaveCriticalSection LeaveCriticalSection _fprintf 105915->105930 105916 8d5443 106026 8d8b28 58 API calls __getptd_noexit 105916->106026 105918->105915 105918->105916 105924 8d5493 105918->105924 105921 8d55a4 _memset 106029 8d8b28 58 API calls __getptd_noexit 105921->106029 105924->105915 105924->105921 105931 8d46e6 105924->105931 105938 8e0e5b 105924->105938 106006 8e0ba7 105924->106006 106028 8e0cc8 58 API calls 3 library calls 105924->106028 105927 8d5448 106027 8d8db6 9 API calls __cftof2_l 105927->106027 105928->105910 105929->105905 105930->105905 105932 8d4705 105931->105932 105933 8d46f0 105931->105933 105932->105924 106030 8d8b28 58 API calls __getptd_noexit 105933->106030 105935 8d46f5 106031 8d8db6 9 API calls __cftof2_l 105935->106031 105937 8d4700 105937->105924 105939 8e0e7c 105938->105939 105940 8e0e93 105938->105940 106041 8d8af4 58 API calls __getptd_noexit 105939->106041 105942 8e15cb 105940->105942 105947 8e0ecd 105940->105947 106057 8d8af4 58 API calls __getptd_noexit 105942->106057 105944 8e0e81 106042 8d8b28 58 API calls __getptd_noexit 105944->106042 105945 8e15d0 106058 8d8b28 58 API calls __getptd_noexit 105945->106058 105949 8e0ed5 105947->105949 105955 8e0eec 105947->105955 106043 8d8af4 58 API calls __getptd_noexit 105949->106043 105950 8e0ee1 106059 8d8db6 9 API calls __cftof2_l 105950->106059 105951 8e0e88 105951->105924 105953 8e0eda 106044 8d8b28 58 API calls __getptd_noexit 105953->106044 105955->105951 105956 8e0f01 105955->105956 105959 8e0f1b 105955->105959 105960 8e0f39 105955->105960 106045 8d8af4 58 API calls __getptd_noexit 105956->106045 105959->105956 105964 8e0f26 105959->105964 106046 8d881d 58 API calls 2 library calls 105960->106046 105962 8e0f49 105965 8e0f6c 105962->105965 105966 8e0f51 105962->105966 106032 8e5c6b 105964->106032 106049 8e18c1 60 API calls 3 library calls 105965->106049 106047 8d8b28 58 API calls __getptd_noexit 105966->106047 105967 8e103a 105969 8e10b3 ReadFile 105967->105969 105974 8e1050 GetConsoleMode 105967->105974 105972 8e10d5 105969->105972 105973 8e1593 GetLastError 105969->105973 105971 8e0f56 106048 8d8af4 58 API calls __getptd_noexit 105971->106048 105972->105973 105980 8e10a5 105972->105980 105976 8e1093 105973->105976 105977 8e15a0 105973->105977 105978 8e1064 105974->105978 105979 8e10b0 105974->105979 105988 8e1099 105976->105988 106050 8d8b07 58 API calls 3 library calls 105976->106050 106055 8d8b28 58 API calls __getptd_noexit 105977->106055 105978->105979 105982 8e106a ReadConsoleW 105978->105982 105979->105969 105980->105988 105990 8e110a 105980->105990 105992 8e1377 105980->105992 105982->105980 105984 8e108d GetLastError 105982->105984 105983 8e15a5 106056 8d8af4 58 API calls __getptd_noexit 105983->106056 105984->105976 105987 8d2d55 _free 58 API calls 105987->105951 105988->105951 105988->105987 105991 8e1176 ReadFile 105990->105991 105997 8e11f7 105990->105997 105994 8e1197 GetLastError 105991->105994 106004 8e11a1 105991->106004 105992->105988 105993 8e147d ReadFile 105992->105993 105999 8e14a0 GetLastError 105993->105999 106005 8e14ae 105993->106005 105994->106004 105995 8e12b4 106000 8e1264 MultiByteToWideChar 105995->106000 106053 8e18c1 60 API calls 3 library calls 105995->106053 105996 8e12a4 106052 8d8b28 58 API calls __getptd_noexit 105996->106052 105997->105988 105997->105995 105997->105996 105997->106000 105999->106005 106000->105984 106000->105988 106004->105990 106051 8e18c1 60 API calls 3 library calls 106004->106051 106005->105992 106054 8e18c1 60 API calls 3 library calls 106005->106054 106007 8e0bb2 106006->106007 106011 8e0bc7 106006->106011 106093 8d8b28 58 API calls __getptd_noexit 106007->106093 106009 8e0bb7 106094 8d8db6 9 API calls __cftof2_l 106009->106094 106013 8e0bfc 106011->106013 106020 8e0bc2 106011->106020 106095 8e5fe4 58 API calls __malloc_crt 106011->106095 106014 8d46e6 __filbuf 58 API calls 106013->106014 106015 8e0c10 106014->106015 106060 8e0d47 106015->106060 106017 8e0c17 106018 8d46e6 __filbuf 58 API calls 106017->106018 106017->106020 106019 8e0c3a 106018->106019 106019->106020 106021 8d46e6 __filbuf 58 API calls 106019->106021 106020->105924 106022 8e0c46 106021->106022 106022->106020 106023 8d46e6 __filbuf 58 API calls 106022->106023 106024 8e0c53 106023->106024 106025 8d46e6 __filbuf 58 API calls 106024->106025 106025->106020 106026->105927 106027->105915 106028->105924 106029->105927 106030->105935 106031->105937 106033 8e5c76 106032->106033 106034 8e5c83 106032->106034 106035 8d8b28 __cftof2_l 58 API calls 106033->106035 106036 8e5c8f 106034->106036 106037 8d8b28 __cftof2_l 58 API calls 106034->106037 106039 8e5c7b 106035->106039 106036->105967 106038 8e5cb0 106037->106038 106040 8d8db6 __cftof2_l 9 API calls 106038->106040 106039->105967 106040->106039 106041->105944 106042->105951 106043->105953 106044->105950 106045->105953 106046->105962 106047->105971 106048->105951 106049->105964 106050->105988 106051->106004 106052->105988 106053->106000 106054->106005 106055->105983 106056->105988 106057->105945 106058->105950 106059->105951 106061 8e0d53 __close 106060->106061 106062 8e0d77 106061->106062 106063 8e0d60 106061->106063 106064 8e0e3b 106062->106064 106066 8e0d8b 106062->106066 106065 8d8af4 __close 58 API calls 106063->106065 106067 8d8af4 __close 58 API calls 106064->106067 106068 8e0d65 106065->106068 106069 8e0da9 106066->106069 106070 8e0db6 106066->106070 106071 8e0dae 106067->106071 106072 8d8b28 __cftof2_l 58 API calls 106068->106072 106073 8d8af4 __close 58 API calls 106069->106073 106074 8e0dd8 106070->106074 106075 8e0dc3 106070->106075 106078 8d8b28 __cftof2_l 58 API calls 106071->106078 106082 8e0d6c __close 106072->106082 106073->106071 106077 8dd206 ___lock_fhandle 59 API calls 106074->106077 106076 8d8af4 __close 58 API calls 106075->106076 106079 8e0dc8 106076->106079 106080 8e0dde 106077->106080 106081 8e0dd0 106078->106081 106083 8d8b28 __cftof2_l 58 API calls 106079->106083 106084 8e0e04 106080->106084 106085 8e0df1 106080->106085 106086 8d8db6 __cftof2_l 9 API calls 106081->106086 106082->106017 106083->106081 106087 8d8b28 __cftof2_l 58 API calls 106084->106087 106088 8e0e5b __read_nolock 70 API calls 106085->106088 106086->106082 106090 8e0e09 106087->106090 106089 8e0dfd 106088->106089 106092 8e0e33 __read LeaveCriticalSection 106089->106092 106091 8d8af4 __close 58 API calls 106090->106091 106091->106089 106092->106082 106093->106009 106094->106020 106095->106013 106099 8d520a GetSystemTimeAsFileTime 106096->106099 106098 918f6e 106098->105691 106100 8d5238 __aulldiv 106099->106100 106100->106098 106102 8d5c6c __close 106101->106102 106103 8d5c7e 106102->106103 106104 8d5c93 106102->106104 106115 8d8b28 58 API calls __getptd_noexit 106103->106115 106106 8d6c11 __lock_file 59 API calls 106104->106106 106108 8d5c99 106106->106108 106107 8d5c83 106116 8d8db6 9 API calls __cftof2_l 106107->106116 106117 8d58d0 67 API calls 6 library calls 106108->106117 106111 8d5ca4 106118 8d5cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 106111->106118 106113 8d5cb6 106114 8d5c8e __close 106113->106114 106114->105696 106115->106107 106116->106114 106117->106111 106118->106113 106119->105578 106120->105591 106121->105593 106122->105589 106123->105598 106124->105599 106126 919748 __tzset_nolock _wcscmp 106125->106126 106127 9195dc 106126->106127 106128 8b4f0b 74 API calls 106126->106128 106129 919109 GetSystemTimeAsFileTime 106126->106129 106130 8b4ee5 85 API calls 106126->106130 106127->105609 106127->105610 106128->106126 106129->106126 106130->106126 106132 918b11 106131->106132 106134 918b1f 106131->106134 106133 8d525b 115 API calls 106132->106133 106133->106134 106135 8d525b 115 API calls 106134->106135 106136 918b64 106134->106136 106161 918b28 106134->106161 106137 918b49 106135->106137 106162 918d91 106136->106162 106137->106136 106139 918b52 106137->106139 106143 8d53a6 __fcloseall 83 API calls 106139->106143 106139->106161 106140 918ba8 106141 918bcd 106140->106141 106142 918bac 106140->106142 106166 9189a9 106141->106166 106145 918bb9 106142->106145 106146 8d53a6 __fcloseall 83 API calls 106142->106146 106143->106161 106148 8d53a6 __fcloseall 83 API calls 106145->106148 106145->106161 106146->106145 106148->106161 106149 918bfb 106175 918c2b 106149->106175 106150 918bdb 106152 918be8 106150->106152 106154 8d53a6 __fcloseall 83 API calls 106150->106154 106155 8d53a6 __fcloseall 83 API calls 106152->106155 106152->106161 106154->106152 106155->106161 106158 918c16 106160 8d53a6 __fcloseall 83 API calls 106158->106160 106158->106161 106160->106161 106161->105638 106163 918db6 106162->106163 106165 918d9f __tzset_nolock _memmove 106162->106165 106164 8d55e2 __fread_nolock 74 API calls 106163->106164 106164->106165 106165->106140 106167 8d571c __malloc_crt 58 API calls 106166->106167 106168 9189b8 106167->106168 106169 8d571c __malloc_crt 58 API calls 106168->106169 106170 9189cc 106169->106170 106171 8d571c __malloc_crt 58 API calls 106170->106171 106172 9189e0 106171->106172 106173 918d0d 58 API calls 106172->106173 106174 9189f3 106172->106174 106173->106174 106174->106149 106174->106150 106176 918c40 106175->106176 106177 918cf8 106176->106177 106178 918a05 74 API calls 106176->106178 106182 918c02 106176->106182 106208 918aa1 74 API calls 106176->106208 106209 918e12 80 API calls 106176->106209 106204 918f35 106177->106204 106178->106176 106183 918d0d 106182->106183 106184 918d20 106183->106184 106185 918d1a 106183->106185 106187 918d31 106184->106187 106188 8d2d55 _free 58 API calls 106184->106188 106186 8d2d55 _free 58 API calls 106185->106186 106186->106184 106189 918c09 106187->106189 106190 8d2d55 _free 58 API calls 106187->106190 106188->106187 106189->106158 106191 8d53a6 106189->106191 106190->106189 106192 8d53b2 __close 106191->106192 106193 8d53c6 106192->106193 106194 8d53de 106192->106194 106291 8d8b28 58 API calls __getptd_noexit 106193->106291 106196 8d6c11 __lock_file 59 API calls 106194->106196 106201 8d53d6 __close 106194->106201 106198 8d53f0 106196->106198 106197 8d53cb 106292 8d8db6 9 API calls __cftof2_l 106197->106292 106275 8d533a 106198->106275 106201->106158 106205 918f42 106204->106205 106206 918f53 106204->106206 106210 8d4863 106205->106210 106206->106182 106208->106176 106209->106176 106211 8d486f __close 106210->106211 106212 8d488d 106211->106212 106213 8d48a5 106211->106213 106215 8d489d __close 106211->106215 106235 8d8b28 58 API calls __getptd_noexit 106212->106235 106216 8d6c11 __lock_file 59 API calls 106213->106216 106215->106206 106218 8d48ab 106216->106218 106217 8d4892 106236 8d8db6 9 API calls __cftof2_l 106217->106236 106223 8d470a 106218->106223 106226 8d4719 106223->106226 106229 8d4737 106223->106229 106224 8d4727 106266 8d8b28 58 API calls __getptd_noexit 106224->106266 106226->106224 106226->106229 106233 8d4751 _memmove 106226->106233 106227 8d472c 106267 8d8db6 9 API calls __cftof2_l 106227->106267 106237 8d48dd LeaveCriticalSection LeaveCriticalSection _fprintf 106229->106237 106232 8d46e6 __filbuf 58 API calls 106232->106233 106233->106229 106233->106232 106238 8dd886 106233->106238 106268 8d4a3d 106233->106268 106274 8dae1e 78 API calls 7 library calls 106233->106274 106235->106217 106236->106215 106237->106215 106239 8dd892 __close 106238->106239 106240 8dd89f 106239->106240 106241 8dd8b6 106239->106241 106242 8d8af4 __close 58 API calls 106240->106242 106243 8dd955 106241->106243 106245 8dd8ca 106241->106245 106244 8dd8a4 106242->106244 106246 8d8af4 __close 58 API calls 106243->106246 106247 8d8b28 __cftof2_l 58 API calls 106244->106247 106248 8dd8e8 106245->106248 106249 8dd8f2 106245->106249 106252 8dd8ed 106246->106252 106262 8dd8ab __close 106247->106262 106250 8d8af4 __close 58 API calls 106248->106250 106251 8dd206 ___lock_fhandle 59 API calls 106249->106251 106250->106252 106253 8dd8f8 106251->106253 106254 8d8b28 __cftof2_l 58 API calls 106252->106254 106255 8dd91e 106253->106255 106256 8dd90b 106253->106256 106257 8dd961 106254->106257 106258 8d8b28 __cftof2_l 58 API calls 106255->106258 106259 8dd975 __write_nolock 76 API calls 106256->106259 106260 8d8db6 __cftof2_l 9 API calls 106257->106260 106263 8dd923 106258->106263 106261 8dd917 106259->106261 106260->106262 106265 8dd94d __write LeaveCriticalSection 106261->106265 106262->106233 106264 8d8af4 __close 58 API calls 106263->106264 106264->106261 106265->106262 106266->106227 106267->106229 106269 8d4a50 106268->106269 106273 8d4a74 106268->106273 106270 8d46e6 __filbuf 58 API calls 106269->106270 106269->106273 106271 8d4a6d 106270->106271 106272 8dd886 __write 78 API calls 106271->106272 106272->106273 106273->106233 106274->106233 106276 8d535d 106275->106276 106277 8d5349 106275->106277 106280 8d5359 106276->106280 106281 8d4a3d __flush 78 API calls 106276->106281 106324 8d8b28 58 API calls __getptd_noexit 106277->106324 106279 8d534e 106325 8d8db6 9 API calls __cftof2_l 106279->106325 106293 8d5415 LeaveCriticalSection LeaveCriticalSection _fprintf 106280->106293 106283 8d5369 106281->106283 106294 8e0b77 106283->106294 106286 8d46e6 __filbuf 58 API calls 106287 8d5377 106286->106287 106298 8e0a02 106287->106298 106289 8d537d 106289->106280 106290 8d2d55 _free 58 API calls 106289->106290 106290->106280 106291->106197 106292->106201 106293->106201 106295 8e0b84 106294->106295 106297 8d5371 106294->106297 106296 8d2d55 _free 58 API calls 106295->106296 106295->106297 106296->106297 106297->106286 106299 8e0a0e __close 106298->106299 106300 8e0a1b 106299->106300 106301 8e0a32 106299->106301 106350 8d8af4 58 API calls __getptd_noexit 106300->106350 106303 8e0abd 106301->106303 106305 8e0a42 106301->106305 106355 8d8af4 58 API calls __getptd_noexit 106303->106355 106304 8e0a20 106351 8d8b28 58 API calls __getptd_noexit 106304->106351 106308 8e0a6a 106305->106308 106309 8e0a60 106305->106309 106326 8dd206 106308->106326 106352 8d8af4 58 API calls __getptd_noexit 106309->106352 106310 8e0a65 106356 8d8b28 58 API calls __getptd_noexit 106310->106356 106314 8e0a70 106316 8e0a8e 106314->106316 106317 8e0a83 106314->106317 106315 8e0ac9 106357 8d8db6 9 API calls __cftof2_l 106315->106357 106353 8d8b28 58 API calls __getptd_noexit 106316->106353 106335 8e0add 106317->106335 106321 8e0a27 __close 106321->106289 106322 8e0a89 106354 8e0ab5 LeaveCriticalSection __unlock_fhandle 106322->106354 106324->106279 106325->106280 106327 8dd212 __close 106326->106327 106328 8dd261 EnterCriticalSection 106327->106328 106329 8d9c0b __lock 58 API calls 106327->106329 106330 8dd287 __close 106328->106330 106331 8dd237 106329->106331 106330->106314 106334 8dd24f 106331->106334 106358 8d9e2b InitializeCriticalSectionAndSpinCount 106331->106358 106359 8dd28b LeaveCriticalSection _doexit 106334->106359 106360 8dd4c3 106335->106360 106337 8e0b41 106373 8dd43d 59 API calls 2 library calls 106337->106373 106339 8e0aeb 106339->106337 106342 8dd4c3 __commit 58 API calls 106339->106342 106349 8e0b1f 106339->106349 106340 8dd4c3 __commit 58 API calls 106343 8e0b2b CloseHandle 106340->106343 106341 8e0b49 106344 8e0b6b 106341->106344 106374 8d8b07 58 API calls 3 library calls 106341->106374 106345 8e0b16 106342->106345 106343->106337 106347 8e0b37 GetLastError 106343->106347 106344->106322 106346 8dd4c3 __commit 58 API calls 106345->106346 106346->106349 106347->106337 106349->106337 106349->106340 106350->106304 106351->106321 106352->106310 106353->106322 106354->106321 106355->106310 106356->106315 106357->106321 106358->106334 106359->106328 106361 8dd4ce 106360->106361 106362 8dd4e3 106360->106362 106363 8d8af4 __close 58 API calls 106361->106363 106364 8d8af4 __close 58 API calls 106362->106364 106366 8dd508 106362->106366 106365 8dd4d3 106363->106365 106367 8dd512 106364->106367 106368 8d8b28 __cftof2_l 58 API calls 106365->106368 106366->106339 106369 8d8b28 __cftof2_l 58 API calls 106367->106369 106370 8dd4db 106368->106370 106371 8dd51a 106369->106371 106370->106339 106372 8d8db6 __cftof2_l 9 API calls 106371->106372 106372->106370 106373->106341 106374->106344 106376 8e1940 __write_nolock 106375->106376 106377 8d079e GetLongPathNameW 106376->106377 106378 8b7bcc 59 API calls 106377->106378 106379 8b72bd 106378->106379 106380 8b700b 106379->106380 106381 8b7667 59 API calls 106380->106381 106382 8b701d 106381->106382 106383 8b4750 60 API calls 106382->106383 106384 8b7028 106383->106384 106385 8b7033 106384->106385 106386 8ee885 106384->106386 106387 8b3f74 59 API calls 106385->106387 106391 8ee89f 106386->106391 106433 8b7908 61 API calls 106386->106433 106389 8b703f 106387->106389 106427 8b34c2 106389->106427 106392 8b7052 Mailbox 106392->105427 106394 8b4ddd 136 API calls 106393->106394 106395 8b688f 106394->106395 106396 8ee031 106395->106396 106398 8b4ddd 136 API calls 106395->106398 106397 91955b 122 API calls 106396->106397 106399 8ee046 106397->106399 106400 8b68a3 106398->106400 106401 8ee04a 106399->106401 106402 8ee067 106399->106402 106400->106396 106403 8b68ab 106400->106403 106404 8b4e4a 84 API calls 106401->106404 106405 8d0db6 Mailbox 59 API calls 106402->106405 106406 8ee052 106403->106406 106407 8b68b7 106403->106407 106404->106406 106416 8ee0ac Mailbox 106405->106416 106533 9142f8 90 API calls _wprintf 106406->106533 106434 8b6a8c 106407->106434 106410 8ee060 106410->106402 106412 8ee260 106413 8d2d55 _free 58 API calls 106412->106413 106414 8ee268 106413->106414 106415 8b4e4a 84 API calls 106414->106415 106421 8ee271 106415->106421 106416->106412 106417 8b750f 59 API calls 106416->106417 106416->106421 106424 8b7de1 59 API calls 106416->106424 106527 8b735d 106416->106527 106534 90f73d 59 API calls 2 library calls 106416->106534 106535 90f65e 61 API calls 2 library calls 106416->106535 106536 91737f 59 API calls Mailbox 106416->106536 106417->106416 106420 8d2d55 _free 58 API calls 106420->106421 106421->106420 106423 8b4e4a 84 API calls 106421->106423 106537 90f7a1 89 API calls 4 library calls 106421->106537 106423->106421 106424->106416 106428 8b34d4 106427->106428 106432 8b34f3 _memmove 106427->106432 106430 8d0db6 Mailbox 59 API calls 106428->106430 106429 8d0db6 Mailbox 59 API calls 106431 8b350a 106429->106431 106430->106432 106431->106392 106432->106429 106433->106386 106435 8ee41e 106434->106435 106436 8b6ab5 106434->106436 106610 90f7a1 89 API calls 4 library calls 106435->106610 106543 8b57a6 60 API calls Mailbox 106436->106543 106439 8ee431 106611 90f7a1 89 API calls 4 library calls 106439->106611 106440 8b6ad7 106544 8b57f6 67 API calls 106440->106544 106442 8b6aec 106442->106439 106443 8b6af4 106442->106443 106445 8b7667 59 API calls 106443->106445 106447 8b6b00 106445->106447 106446 8ee44d 106449 8b6b61 106446->106449 106545 8d0957 60 API calls __write_nolock 106447->106545 106451 8b6b6f 106449->106451 106452 8ee460 106449->106452 106450 8b6b0c 106453 8b7667 59 API calls 106450->106453 106455 8b7667 59 API calls 106451->106455 106454 8b5c6f CloseHandle 106452->106454 106456 8b6b18 106453->106456 106457 8ee46c 106454->106457 106458 8b6b78 106455->106458 106460 8b4750 60 API calls 106456->106460 106461 8b4ddd 136 API calls 106457->106461 106459 8b7667 59 API calls 106458->106459 106462 8b6b81 106459->106462 106463 8b6b26 106460->106463 106464 8ee488 106461->106464 106548 8b459b 106462->106548 106546 8b5850 ReadFile SetFilePointerEx 106463->106546 106467 8ee4b1 106464->106467 106468 91955b 122 API calls 106464->106468 106612 90f7a1 89 API calls 4 library calls 106467->106612 106472 8ee4a4 106468->106472 106469 8b6b98 106473 8b7b2e 59 API calls 106469->106473 106471 8b6b52 106547 8b5aee SetFilePointerEx SetFilePointerEx 106471->106547 106476 8ee4ac 106472->106476 106477 8ee4cd 106472->106477 106478 8b6ba9 SetCurrentDirectoryW 106473->106478 106474 8ee4c8 106505 8b6d0c Mailbox 106474->106505 106479 8b4e4a 84 API calls 106476->106479 106480 8b4e4a 84 API calls 106477->106480 106483 8b6bbc Mailbox 106478->106483 106479->106467 106481 8ee4d2 106480->106481 106482 8d0db6 Mailbox 59 API calls 106481->106482 106489 8ee506 106482->106489 106485 8d0db6 Mailbox 59 API calls 106483->106485 106487 8b6bcf 106485->106487 106486 8b3bbb 106486->105286 106486->105295 106488 8b522e 59 API calls 106487->106488 106516 8b6bda Mailbox __wsetenvp 106488->106516 106490 8b750f 59 API calls 106489->106490 106523 8ee54f Mailbox 106490->106523 106491 8b6ce7 106606 8b5c6f 106491->106606 106493 8ee740 106617 9172df 59 API calls Mailbox 106493->106617 106495 8b6cf3 SetCurrentDirectoryW 106495->106505 106498 8ee762 106618 92fbce 59 API calls 2 library calls 106498->106618 106501 8ee76f 106503 8d2d55 _free 58 API calls 106501->106503 106502 8ee7d9 106621 90f7a1 89 API calls 4 library calls 106502->106621 106503->106505 106538 8b57d4 106505->106538 106507 8b750f 59 API calls 106507->106523 106508 8ee7f2 106508->106491 106509 8ee7d1 106620 90f5f7 59 API calls 4 library calls 106509->106620 106511 8b7de1 59 API calls 106511->106516 106516->106491 106516->106502 106516->106509 106516->106511 106599 8b586d 67 API calls _wcscpy 106516->106599 106600 8b6f5d GetStringTypeW 106516->106600 106601 8b6ecc 60 API calls __wcsnicmp 106516->106601 106602 8b6faa GetStringTypeW __wsetenvp 106516->106602 106603 8d363d GetStringTypeW _iswctype 106516->106603 106604 8b68dc 165 API calls 3 library calls 106516->106604 106605 8b7213 59 API calls Mailbox 106516->106605 106517 8b7de1 59 API calls 106517->106523 106521 8ee792 106619 90f7a1 89 API calls 4 library calls 106521->106619 106523->106493 106523->106507 106523->106517 106523->106521 106613 90f73d 59 API calls 2 library calls 106523->106613 106614 90f65e 61 API calls 2 library calls 106523->106614 106615 91737f 59 API calls Mailbox 106523->106615 106616 8b7213 59 API calls Mailbox 106523->106616 106524 8ee7ab 106525 8d2d55 _free 58 API calls 106524->106525 106526 8ee7be 106525->106526 106526->106505 106528 8b7370 106527->106528 106530 8b741e 106527->106530 106529 8d0db6 Mailbox 59 API calls 106528->106529 106532 8b73a2 106528->106532 106529->106532 106530->106416 106531 8d0db6 59 API calls Mailbox 106531->106532 106532->106530 106532->106531 106533->106410 106534->106416 106535->106416 106536->106416 106537->106421 106539 8b5c6f CloseHandle 106538->106539 106540 8b57dc Mailbox 106539->106540 106541 8b5c6f CloseHandle 106540->106541 106542 8b57eb 106541->106542 106542->106486 106543->106440 106544->106442 106545->106450 106546->106471 106547->106449 106549 8b7667 59 API calls 106548->106549 106550 8b45b1 106549->106550 106551 8b7667 59 API calls 106550->106551 106552 8b45b9 106551->106552 106553 8b7667 59 API calls 106552->106553 106554 8b45c1 106553->106554 106555 8b7667 59 API calls 106554->106555 106556 8b45c9 106555->106556 106557 8b45fd 106556->106557 106558 8ed4d2 106556->106558 106559 8b784b 59 API calls 106557->106559 106560 8b8047 59 API calls 106558->106560 106561 8b460b 106559->106561 106562 8ed4db 106560->106562 106563 8b7d2c 59 API calls 106561->106563 106564 8b7d8c 59 API calls 106562->106564 106565 8b4615 106563->106565 106567 8b4640 106564->106567 106566 8b784b 59 API calls 106565->106566 106565->106567 106570 8b4636 106566->106570 106568 8b4680 106567->106568 106571 8b465f 106567->106571 106581 8ed4fb 106567->106581 106569 8b784b 59 API calls 106568->106569 106572 8b4691 106569->106572 106573 8b7d2c 59 API calls 106570->106573 106575 8b79f2 59 API calls 106571->106575 106577 8b46a3 106572->106577 106579 8b8047 59 API calls 106572->106579 106573->106567 106574 8ed5cb 106578 8b7bcc 59 API calls 106574->106578 106576 8b4669 106575->106576 106576->106568 106582 8b784b 59 API calls 106576->106582 106580 8b46b3 106577->106580 106583 8b8047 59 API calls 106577->106583 106594 8ed588 106578->106594 106579->106577 106585 8b46ba 106580->106585 106586 8b8047 59 API calls 106580->106586 106581->106574 106584 8ed5b4 106581->106584 106593 8ed532 106581->106593 106582->106568 106583->106580 106584->106574 106590 8ed59f 106584->106590 106587 8b8047 59 API calls 106585->106587 106596 8b46c1 Mailbox 106585->106596 106586->106585 106587->106596 106588 8b79f2 59 API calls 106588->106594 106589 8ed590 106591 8b7bcc 59 API calls 106589->106591 106592 8b7bcc 59 API calls 106590->106592 106591->106594 106592->106594 106593->106589 106597 8ed57b 106593->106597 106594->106568 106594->106588 106622 8b7924 59 API calls 2 library calls 106594->106622 106596->106469 106598 8b7bcc 59 API calls 106597->106598 106598->106594 106599->106516 106600->106516 106601->106516 106602->106516 106603->106516 106604->106516 106605->106516 106607 8b5c79 106606->106607 106608 8b5c88 106606->106608 106607->106495 106608->106607 106609 8b5c8d CloseHandle 106608->106609 106609->106607 106610->106439 106611->106446 106612->106474 106613->106523 106614->106523 106615->106523 106616->106523 106617->106498 106618->106501 106619->106524 106620->106502 106621->106508 106622->106594 106624 8b6d95 106623->106624 106629 8b6ea9 106623->106629 106625 8d0db6 Mailbox 59 API calls 106624->106625 106624->106629 106626 8b6dbc 106625->106626 106627 8d0db6 Mailbox 59 API calls 106626->106627 106633 8b6e31 106627->106633 106628 8b6240 94 API calls 106628->106633 106629->105433 106631 8b735d 59 API calls 106631->106633 106632 8b750f 59 API calls 106632->106633 106633->106628 106633->106629 106633->106631 106633->106632 106636 906553 59 API calls Mailbox 106633->106636 106634->105435 106635->105437 106636->106633 106637->105451 106638->105452 106640 8be6d5 106639->106640 106641 8f3aa9 106640->106641 106643 8be73f 106640->106643 106654 8be799 106640->106654 106642 8b9ea0 331 API calls 106641->106642 106644 8f3abe 106642->106644 106647 8b7667 59 API calls 106643->106647 106643->106654 106664 8be970 Mailbox 106644->106664 106645 8b7667 59 API calls 106645->106654 106648 8d2d40 __cinit 67 API calls 106648->106654 106650 8f3b26 106650->105529 106654->106645 106654->106648 106654->106650 106655 8be95a 106654->106655 106654->106664 106655->106664 106671 8bf4ba 106670->106671 106672 8bf650 106670->106672 106674 8f441e 106671->106674 106675 8bf4c6 106671->106675 106673 8b7de1 59 API calls 106672->106673 106681 8bf58c Mailbox 106673->106681 106804 92bc6b 331 API calls Mailbox 106674->106804 106802 8bf290 331 API calls 2 library calls 106675->106802 106689->105529 106690->105529 106691->105529 106692->105462 106694->105529 106695->105457 106696->105457 106697->105457 106698->105529 106699->105529 106700->105529 106701->105529 106702->105529 106703->105529 106704->105516 106705->105516 106706->105516 106707->105516 106708->105516 106709->105516 106710->105516 106930 1554308 106944 1551f48 106930->106944 106932 1554408 106947 15541f8 106932->106947 106950 1555458 GetPEB 106944->106950 106946 15525d3 106946->106932 106948 1554201 Sleep 106947->106948 106949 155420f 106948->106949 106951 1555482 106950->106951 106951->106946 106952 8b1016 106957 8b4974 106952->106957 106955 8d2d40 __cinit 67 API calls 106956 8b1025 106955->106956 106958 8d0db6 Mailbox 59 API calls 106957->106958 106959 8b497c 106958->106959 106960 8b101b 106959->106960 106964 8b4936 106959->106964 106960->106955 106965 8b493f 106964->106965 106966 8b4951 106964->106966 106967 8d2d40 __cinit 67 API calls 106965->106967 106968 8b49a0 106966->106968 106967->106966 106969 8b7667 59 API calls 106968->106969 106970 8b49b8 GetVersionExW 106969->106970 106971 8b7bcc 59 API calls 106970->106971 106972 8b49fb 106971->106972 106973 8b7d2c 59 API calls 106972->106973 106978 8b4a28 106972->106978 106974 8b4a1c 106973->106974 106975 8b7726 59 API calls 106974->106975 106975->106978 106976 8b4a93 GetCurrentProcess IsWow64Process 106977 8b4aac 106976->106977 106980 8b4b2b GetSystemInfo 106977->106980 106981 8b4ac2 106977->106981 106978->106976 106979 8ed864 106978->106979 106982 8b4af8 106980->106982 106992 8b4b37 106981->106992 106982->106960 106985 8b4b1f GetSystemInfo 106987 8b4ae9 106985->106987 106986 8b4ad4 106988 8b4b37 2 API calls 106986->106988 106987->106982 106990 8b4aef FreeLibrary 106987->106990 106989 8b4adc GetNativeSystemInfo 106988->106989 106989->106987 106990->106982 106993 8b4ad0 106992->106993 106994 8b4b40 LoadLibraryA 106992->106994 106993->106985 106993->106986 106994->106993 106995 8b4b51 GetProcAddress 106994->106995 106995->106993 106996 8b1066 107001 8bf76f 106996->107001 106998 8b106c 106999 8d2d40 __cinit 67 API calls 106998->106999 107000 8b1076 106999->107000 107002 8bf790 107001->107002 107034 8cff03 107002->107034 107006 8bf7d7 107007 8b7667 59 API calls 107006->107007 107008 8bf7e1 107007->107008 107009 8b7667 59 API calls 107008->107009 107010 8bf7eb 107009->107010 107011 8b7667 59 API calls 107010->107011 107012 8bf7f5 107011->107012 107013 8b7667 59 API calls 107012->107013 107014 8bf833 107013->107014 107015 8b7667 59 API calls 107014->107015 107016 8bf8fe 107015->107016 107044 8c5f87 107016->107044 107020 8bf930 107021 8b7667 59 API calls 107020->107021 107022 8bf93a 107021->107022 107072 8cfd9e 107022->107072 107024 8bf981 107025 8bf991 GetStdHandle 107024->107025 107026 8f45ab 107025->107026 107027 8bf9dd 107025->107027 107026->107027 107029 8f45b4 107026->107029 107028 8bf9e5 OleInitialize 107027->107028 107028->106998 107079 916b38 64 API calls Mailbox 107029->107079 107031 8f45bb 107080 917207 CreateThread 107031->107080 107033 8f45c7 CloseHandle 107033->107028 107081 8cffdc 107034->107081 107037 8cffdc 59 API calls 107038 8cff45 107037->107038 107039 8b7667 59 API calls 107038->107039 107040 8cff51 107039->107040 107041 8b7bcc 59 API calls 107040->107041 107042 8bf796 107041->107042 107043 8d0162 6 API calls 107042->107043 107043->107006 107045 8b7667 59 API calls 107044->107045 107046 8c5f97 107045->107046 107047 8b7667 59 API calls 107046->107047 107048 8c5f9f 107047->107048 107088 8c5a9d 107048->107088 107051 8c5a9d 59 API calls 107052 8c5faf 107051->107052 107053 8b7667 59 API calls 107052->107053 107054 8c5fba 107053->107054 107055 8d0db6 Mailbox 59 API calls 107054->107055 107056 8bf908 107055->107056 107057 8c60f9 107056->107057 107058 8c6107 107057->107058 107059 8b7667 59 API calls 107058->107059 107060 8c6112 107059->107060 107061 8b7667 59 API calls 107060->107061 107062 8c611d 107061->107062 107063 8b7667 59 API calls 107062->107063 107064 8c6128 107063->107064 107065 8b7667 59 API calls 107064->107065 107066 8c6133 107065->107066 107067 8c5a9d 59 API calls 107066->107067 107068 8c613e 107067->107068 107069 8d0db6 Mailbox 59 API calls 107068->107069 107070 8c6145 RegisterWindowMessageW 107069->107070 107070->107020 107073 8cfdae 107072->107073 107074 90576f 107072->107074 107076 8d0db6 Mailbox 59 API calls 107073->107076 107091 919ae7 60 API calls 107074->107091 107078 8cfdb6 107076->107078 107077 90577a 107078->107024 107079->107031 107080->107033 107092 9171ed 65 API calls 107080->107092 107082 8b7667 59 API calls 107081->107082 107083 8cffe7 107082->107083 107084 8b7667 59 API calls 107083->107084 107085 8cffef 107084->107085 107086 8b7667 59 API calls 107085->107086 107087 8cff3b 107086->107087 107087->107037 107089 8b7667 59 API calls 107088->107089 107090 8c5aa5 107089->107090 107090->107051 107091->107077 107093 8b1055 107098 8b2649 107093->107098 107096 8d2d40 __cinit 67 API calls 107097 8b1064 107096->107097 107099 8b7667 59 API calls 107098->107099 107100 8b26b7 107099->107100 107105 8b3582 107100->107105 107103 8b2754 107104 8b105a 107103->107104 107108 8b3416 59 API calls 2 library calls 107103->107108 107104->107096 107109 8b35b0 107105->107109 107108->107103 107110 8b35a1 107109->107110 107111 8b35bd 107109->107111 107110->107103 107111->107110 107112 8b35c4 RegOpenKeyExW 107111->107112 107112->107110 107113 8b35de RegQueryValueExW 107112->107113 107114 8b3614 RegCloseKey 107113->107114 107115 8b35ff 107113->107115 107114->107110 107115->107114

                Executed Functions

                Function 008B3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008B3B68
                • IsDebuggerPresent.KERNEL32 ref: 008B3B7A
                • GetFullPathNameW.KERNEL32(00007FFF,?,?,009752F8,009752E0,?,?), ref: 008B3BEB
                  • Part of subcall function 008B7BCC: _memmove.LIBCMT ref: 008B7C06
                  • Part of subcall function 008C092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,008B3C14,009752F8,?,?,?), ref: 008C096E
                • SetCurrentDirectoryW.KERNEL32(?), ref: 008B3C6F
                • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00967770,00000010), ref: 008ED281
                • SetCurrentDirectoryW.KERNEL32(?,009752F8,?,?,?), ref: 008ED2B9
                • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00964260,009752F8,?,?,?), ref: 008ED33F
                • ShellExecuteW.SHELL32(00000000,?,?), ref: 008ED346
                  • Part of subcall function 008B3A46: GetSysColorBrush.USER32(0000000F), ref: 008B3A50
                  • Part of subcall function 008B3A46: LoadCursorW.USER32(00000000,00007F00), ref: 008B3A5F
                  • Part of subcall function 008B3A46: LoadIconW.USER32(00000063), ref: 008B3A76
                  • Part of subcall function 008B3A46: LoadIconW.USER32(000000A4), ref: 008B3A88
                  • Part of subcall function 008B3A46: LoadIconW.USER32(000000A2), ref: 008B3A9A
                  • Part of subcall function 008B3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008B3AC0
                  • Part of subcall function 008B3A46: RegisterClassExW.USER32(?), ref: 008B3B16
                  • Part of subcall function 008B39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008B3A03
                  • Part of subcall function 008B39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008B3A24
                  • Part of subcall function 008B39D5: ShowWindow.USER32(00000000,?,?), ref: 008B3A38
                  • Part of subcall function 008B39D5: ShowWindow.USER32(00000000,?,?), ref: 008B3A41
                  • Part of subcall function 008B434A: _memset.LIBCMT ref: 008B4370
                  • Part of subcall function 008B434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008B4415
                Strings
                • runas, xrefs: 008ED33A
                • This is a third-party compiled AutoIt script., xrefs: 008ED279
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                • String ID: This is a third-party compiled AutoIt script.$runas
                • API String ID: 529118366-3287110873
                • Opcode ID: d337e54aa41356a66bc16128e510452fb4043b1d19b7636b42ad994fe6870584
                • Instruction ID: 61234fb16918a65eed4a5c45d5ba257f70a22dfe41bf5656b7ae1a14cd373b31
                • Opcode Fuzzy Hash: d337e54aa41356a66bc16128e510452fb4043b1d19b7636b42ad994fe6870584
                • Instruction Fuzzy Hash: 0451D132D08748AEDB11EBF8DC15EED7B78FB85754B008065F425F22A3DAB05645DB22
                Function 008B49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 942 8b49a0-8b4a00 call 8b7667 GetVersionExW call 8b7bcc 947 8b4b0b-8b4b0d 942->947 948 8b4a06 942->948 949 8ed767-8ed773 947->949 950 8b4a09-8b4a0e 948->950 951 8ed774-8ed778 949->951 952 8b4b12-8b4b13 950->952 953 8b4a14 950->953 955 8ed77a 951->955 956 8ed77b-8ed787 951->956 954 8b4a15-8b4a4c call 8b7d2c call 8b7726 952->954 953->954 964 8b4a52-8b4a53 954->964 965 8ed864-8ed867 954->965 955->956 956->951 958 8ed789-8ed78e 956->958 958->950 960 8ed794-8ed79b 958->960 960->949 962 8ed79d 960->962 966 8ed7a2-8ed7a5 962->966 964->966 967 8b4a59-8b4a64 964->967 968 8ed869 965->968 969 8ed880-8ed884 965->969 970 8ed7ab-8ed7c9 966->970 971 8b4a93-8b4aaa GetCurrentProcess IsWow64Process 966->971 976 8b4a6a-8b4a6c 967->976 977 8ed7ea-8ed7f0 967->977 978 8ed86c 968->978 972 8ed86f-8ed878 969->972 973 8ed886-8ed88f 969->973 970->971 979 8ed7cf-8ed7d5 970->979 974 8b4aaf-8b4ac0 971->974 975 8b4aac 971->975 972->969 973->978 982 8ed891-8ed894 973->982 983 8b4b2b-8b4b35 GetSystemInfo 974->983 984 8b4ac2-8b4ad2 call 8b4b37 974->984 975->974 985 8b4a72-8b4a75 976->985 986 8ed805-8ed811 976->986 980 8ed7fa-8ed800 977->980 981 8ed7f2-8ed7f5 977->981 978->972 987 8ed7df-8ed7e5 979->987 988 8ed7d7-8ed7da 979->988 980->971 981->971 982->972 991 8b4af8-8b4b08 983->991 999 8b4b1f-8b4b29 GetSystemInfo 984->999 1000 8b4ad4-8b4ae1 call 8b4b37 984->1000 989 8b4a7b-8b4a8a 985->989 990 8ed831-8ed834 985->990 992 8ed81b-8ed821 986->992 993 8ed813-8ed816 986->993 987->971 988->971 995 8ed826-8ed82c 989->995 996 8b4a90 989->996 990->971 998 8ed83a-8ed84f 990->998 992->971 993->971 995->971 996->971 1001 8ed859-8ed85f 998->1001 1002 8ed851-8ed854 998->1002 1003 8b4ae9-8b4aed 999->1003 1007 8b4b18-8b4b1d 1000->1007 1008 8b4ae3-8b4ae7 GetNativeSystemInfo 1000->1008 1001->971 1002->971 1003->991 1006 8b4aef-8b4af2 FreeLibrary 1003->1006 1006->991 1007->1008 1008->1003
                APIs
                • GetVersionExW.KERNEL32(?), ref: 008B49CD
                  • Part of subcall function 008B7BCC: _memmove.LIBCMT ref: 008B7C06
                • GetCurrentProcess.KERNEL32(?,0093FAEC,00000000,00000000,?), ref: 008B4A9A
                • IsWow64Process.KERNEL32(00000000), ref: 008B4AA1
                • GetNativeSystemInfo.KERNELBASE(00000000), ref: 008B4AE7
                • FreeLibrary.KERNEL32(00000000), ref: 008B4AF2
                • GetSystemInfo.KERNEL32(00000000), ref: 008B4B23
                • GetSystemInfo.KERNEL32(00000000), ref: 008B4B2F
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                • String ID:
                • API String ID: 1986165174-0
                • Opcode ID: bad08240bc77c92fa675f6fb2724989d22b241a935ab120bc7117e0828dbe25c
                • Instruction ID: 78665941ad433a0371203866bd845693535de47d69f2fa20495df62cc247ffd1
                • Opcode Fuzzy Hash: bad08240bc77c92fa675f6fb2724989d22b241a935ab120bc7117e0828dbe25c
                • Instruction Fuzzy Hash: F491BF3198D7D4DAC721DB6884511EABFF5FF2A300B4859AED0D7D3B42D220A908D76A
                Function 008B4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1039 8b4e89-8b4ea1 CreateStreamOnHGlobal 1040 8b4ea3-8b4eba FindResourceExW 1039->1040 1041 8b4ec1-8b4ec6 1039->1041 1042 8b4ec0 1040->1042 1043 8ed933-8ed942 LoadResource 1040->1043 1042->1041 1043->1042 1044 8ed948-8ed956 SizeofResource 1043->1044 1044->1042 1045 8ed95c-8ed967 LockResource 1044->1045 1045->1042 1046 8ed96d-8ed98b 1045->1046 1046->1042
                APIs
                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008B4D8E,?,?,00000000,00000000), ref: 008B4E99
                • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008B4D8E,?,?,00000000,00000000), ref: 008B4EB0
                • LoadResource.KERNEL32(?,00000000,?,?,008B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,008B4E2F), ref: 008ED937
                • SizeofResource.KERNEL32(?,00000000,?,?,008B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,008B4E2F), ref: 008ED94C
                • LockResource.KERNEL32(008B4D8E,?,?,008B4D8E,?,?,00000000,00000000,?,?,?,?,?,?,008B4E2F,00000000), ref: 008ED95F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                • String ID: SCRIPT
                • API String ID: 3051347437-3967369404
                • Opcode ID: 2b3ec665dfbe4bb65b88bc07b81d4d91b8d183e15aa027ebd9f1fcc7b0f356cc
                • Instruction ID: 9e40fe4efd52b35fe1e151bd81116060761bb18952841ca8f28e16fe4df48648
                • Opcode Fuzzy Hash: 2b3ec665dfbe4bb65b88bc07b81d4d91b8d183e15aa027ebd9f1fcc7b0f356cc
                • Instruction Fuzzy Hash: 8011AC71600300BFD7208B65EC49F677BBAFBC5B21F20426CF416C6261DB71EC049A60
                Function 0091445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?,008EE398), ref: 0091446A
                • FindFirstFileW.KERNELBASE(?,?), ref: 0091447B
                • FindClose.KERNEL32(00000000), ref: 0091448B
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FileFind$AttributesCloseFirst
                • String ID:
                • API String ID: 48322524-0
                • Opcode ID: 0fb1aec9f77fe7561a831fd9005d97328c36bd88d1256f75d6881f6281654c4c
                • Instruction ID: 8e1aa91aa58540adde04fcb365ad6845452e9af4bffa7d3a154ce6932bd13daf
                • Opcode Fuzzy Hash: 0fb1aec9f77fe7561a831fd9005d97328c36bd88d1256f75d6881f6281654c4c
                • Instruction Fuzzy Hash: 75E0D833924505A746106B38EC0D8EA779C9E09375F100715F835C20F0E7745940AAD6
                Function 008BE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                Download Yara Rule
                Strings
                • Variable must be of type 'Object'., xrefs: 008F3E62
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID: Variable must be of type 'Object'.
                • API String ID: 0-109567571
                • Opcode ID: 775da7e9abb58cfb459239016833420ee383cd62c6a08c1f024c36a991f8286d
                • Instruction ID: acc7583b7424602dab3044592b7c2160c4bcd2df20c22127c9401e365441a3e3
                • Opcode Fuzzy Hash: 775da7e9abb58cfb459239016833420ee383cd62c6a08c1f024c36a991f8286d
                • Instruction Fuzzy Hash: 72A27B75A00619CFCB24CF58C880AEABBB1FF58314F248469E915EB352D774ED82CB91
                Function 008C09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                Download Yara Rule
                APIs
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008C0A5B
                • timeGetTime.WINMM ref: 008C0D16
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008C0E53
                • Sleep.KERNEL32(0000000A), ref: 008C0E61
                • LockWindowUpdate.USER32(00000000,?,?), ref: 008C0EFA
                • DestroyWindow.USER32 ref: 008C0F06
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008C0F20
                • Sleep.KERNEL32(0000000A,?,?), ref: 008F4E83
                • TranslateMessage.USER32(?), ref: 008F5C60
                • DispatchMessageW.USER32(?), ref: 008F5C6E
                • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008F5C82
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                • API String ID: 4212290369-3242690629
                • Opcode ID: 84e7c85af6f6bbe37cbf9c732fac64cb57e9cca07164623e1d97d29fcbf4eab2
                • Instruction ID: 22952d0c6367b5b415b22a6499ac70742236b073af097f4f48f8bf3d40c70fec
                • Opcode Fuzzy Hash: 84e7c85af6f6bbe37cbf9c732fac64cb57e9cca07164623e1d97d29fcbf4eab2
                • Instruction Fuzzy Hash: C3B29D70608749DFD724DB24C894FAAB7E5FF85304F144A1DE69AD72A1CB70E884DB82
                Function 00919155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 00918F5F: __time64.LIBCMT ref: 00918F69
                  • Part of subcall function 008B4EE5: _fseek.LIBCMT ref: 008B4EFD
                • __wsplitpath.LIBCMT ref: 00919234
                  • Part of subcall function 008D40FB: __wsplitpath_helper.LIBCMT ref: 008D413B
                • _wcscpy.LIBCMT ref: 00919247
                • _wcscat.LIBCMT ref: 0091925A
                • __wsplitpath.LIBCMT ref: 0091927F
                • _wcscat.LIBCMT ref: 00919295
                • _wcscat.LIBCMT ref: 009192A8
                  • Part of subcall function 00918FA5: _memmove.LIBCMT ref: 00918FDE
                  • Part of subcall function 00918FA5: _memmove.LIBCMT ref: 00918FED
                • _wcscmp.LIBCMT ref: 009191EF
                  • Part of subcall function 00919734: _wcscmp.LIBCMT ref: 00919824
                  • Part of subcall function 00919734: _wcscmp.LIBCMT ref: 00919837
                • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00919452
                • _wcsncpy.LIBCMT ref: 009194C5
                • DeleteFileW.KERNEL32(?,?), ref: 009194FB
                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00919511
                • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00919522
                • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00919534
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                • String ID:
                • API String ID: 1500180987-0
                • Opcode ID: 354f14736e38ef7970f36a6ee1c847fb1fa386094e303670704b856457c9000a
                • Instruction ID: 3669506135dfdd8a37dfb14d4e5c75e04a8187d4ad580a706ff08e019c3eded8
                • Opcode Fuzzy Hash: 354f14736e38ef7970f36a6ee1c847fb1fa386094e303670704b856457c9000a
                • Instruction Fuzzy Hash: B5C14BB1E0021DAADF21DF95CC95ADEB7BDEF85310F0041AAF609E7251DB309A848F61
                Function 008B301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 008B3074
                • RegisterClassExW.USER32(00000030), ref: 008B309E
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008B30AF
                • InitCommonControlsEx.COMCTL32(?), ref: 008B30CC
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008B30DC
                • LoadIconW.USER32(000000A9), ref: 008B30F2
                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008B3101
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                • API String ID: 2914291525-1005189915
                • Opcode ID: 7432406c9bbf99d56ca721d75d6ce2aa49dcdacd4cacb85b633fb025b8c1aea4
                • Instruction ID: 40397438738552c2e41390f433e4f03dee98fcb14dba44f502d7a4cdd0256159
                • Opcode Fuzzy Hash: 7432406c9bbf99d56ca721d75d6ce2aa49dcdacd4cacb85b633fb025b8c1aea4
                • Instruction Fuzzy Hash: 323147B2C65309EFDB40CFA4D889BC9BBF0FB08310F14452AE594EA2A0E7B50585DF91
                Function 008B3041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 008B3074
                • RegisterClassExW.USER32(00000030), ref: 008B309E
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008B30AF
                • InitCommonControlsEx.COMCTL32(?), ref: 008B30CC
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008B30DC
                • LoadIconW.USER32(000000A9), ref: 008B30F2
                • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008B3101
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                • API String ID: 2914291525-1005189915
                • Opcode ID: fcc236970bb353e57253cbf334828ec0a4e7b313e57b79e767b1643c8ae23cf0
                • Instruction ID: 3e0a8a40029735b92c6617fe245db3a0bec05ce7dc24e70df0159425055dd579
                • Opcode Fuzzy Hash: fcc236970bb353e57253cbf334828ec0a4e7b313e57b79e767b1643c8ae23cf0
                • Instruction Fuzzy Hash: A221C5B2D29218AFDB40DFA4E999BDDBBF4FB08700F01412AF515A62A0D7B14584AF91
                Function 008B708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 008B4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009752F8,?,008B37AE,?), ref: 008B4724
                  • Part of subcall function 008D050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008B7165), ref: 008D052D
                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008B71A8
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008EE8C8
                • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008EE909
                • RegCloseKey.ADVAPI32(?), ref: 008EE947
                • _wcscat.LIBCMT ref: 008EE9A0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                • API String ID: 2673923337-2727554177
                • Opcode ID: a9436dfbfef7ed5e32ef3985317208f361bfd98c7d3f987ebfbc9e06f41ec7b9
                • Instruction ID: 3b06d1324475e3cd49e2b650887a549de1539d7a37df19f7378b0c6b828bd013
                • Opcode Fuzzy Hash: a9436dfbfef7ed5e32ef3985317208f361bfd98c7d3f987ebfbc9e06f41ec7b9
                • Instruction Fuzzy Hash: 4571AE724187019EC344EF29E8819ABBBF8FF95310F40052EF459C72B2EB719988DB52
                Function 008B3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 008B3A50
                • LoadCursorW.USER32(00000000,00007F00), ref: 008B3A5F
                • LoadIconW.USER32(00000063), ref: 008B3A76
                • LoadIconW.USER32(000000A4), ref: 008B3A88
                • LoadIconW.USER32(000000A2), ref: 008B3A9A
                • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008B3AC0
                • RegisterClassExW.USER32(?), ref: 008B3B16
                  • Part of subcall function 008B3041: GetSysColorBrush.USER32(0000000F), ref: 008B3074
                  • Part of subcall function 008B3041: RegisterClassExW.USER32(00000030), ref: 008B309E
                  • Part of subcall function 008B3041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008B30AF
                  • Part of subcall function 008B3041: InitCommonControlsEx.COMCTL32(?), ref: 008B30CC
                  • Part of subcall function 008B3041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008B30DC
                  • Part of subcall function 008B3041: LoadIconW.USER32(000000A9), ref: 008B30F2
                  • Part of subcall function 008B3041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008B3101
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                • String ID: #$0$AutoIt v3
                • API String ID: 423443420-4155596026
                • Opcode ID: 809d374c690e1cf1a9f46f3561598a3b42040b86fe59827a4d12545d4c1e2fa8
                • Instruction ID: ad2e8201cb8ca4a124147815b04524011c94010fb158a8c988f94649334312bb
                • Opcode Fuzzy Hash: 809d374c690e1cf1a9f46f3561598a3b42040b86fe59827a4d12545d4c1e2fa8
                • Instruction Fuzzy Hash: E9216F72D28704AFEB50DFA4EC05B9D7BB0FB08711F000119E618A62B2C7F55580AF84
                Function 008B3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 767 8b3633-8b3681 769 8b3683-8b3686 767->769 770 8b36e1-8b36e3 767->770 772 8b3688-8b368f 769->772 773 8b36e7 769->773 770->769 771 8b36e5 770->771 774 8b36ca-8b36d2 DefWindowProcW 771->774 777 8b374b-8b3753 PostQuitMessage 772->777 778 8b3695-8b369a 772->778 775 8ed0cc-8ed0fa call 8c1070 call 8c1093 773->775 776 8b36ed-8b36f0 773->776 780 8b36d8-8b36de 774->780 810 8ed0ff-8ed106 775->810 781 8b36f2-8b36f3 776->781 782 8b3715-8b373c SetTimer RegisterWindowMessageW 776->782 779 8b3711-8b3713 777->779 784 8ed154-8ed168 call 912527 778->784 785 8b36a0-8b36a2 778->785 779->780 787 8ed06f-8ed072 781->787 788 8b36f9-8b370c KillTimer call 8b443a call 8b3114 781->788 782->779 790 8b373e-8b3749 CreatePopupMenu 782->790 784->779 804 8ed16e 784->804 791 8b36a8-8b36ad 785->791 792 8b3755-8b3764 call 8b44a0 785->792 797 8ed0a8-8ed0c7 MoveWindow 787->797 798 8ed074-8ed076 787->798 788->779 790->779 793 8ed139-8ed140 791->793 794 8b36b3-8b36b8 791->794 792->779 793->774 809 8ed146-8ed14f call 907c36 793->809 802 8b36be-8b36c4 794->802 803 8ed124-8ed134 call 912d36 794->803 797->779 806 8ed078-8ed07b 798->806 807 8ed097-8ed0a3 SetFocus 798->807 802->774 802->810 803->779 804->774 806->802 811 8ed081-8ed092 call 8c1070 806->811 807->779 809->774 810->774 815 8ed10c-8ed11f call 8b443a call 8b434a 810->815 811->779 815->774
                APIs
                • DefWindowProcW.USER32(?,?,?,?), ref: 008B36D2
                • KillTimer.USER32(?,00000001), ref: 008B36FC
                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008B371F
                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008B372A
                • CreatePopupMenu.USER32 ref: 008B373E
                • PostQuitMessage.USER32(00000000), ref: 008B374D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                • String ID: TaskbarCreated
                • API String ID: 129472671-2362178303
                • Opcode ID: 43b39875a9529af74ecb8ea98665c9fbdf0dfa17e2ed8d291a6f5bfb3f64b0aa
                • Instruction ID: d51d6fd9719aedf234bb6292c9e88c43b866ccae03425359ef10663c0475e784
                • Opcode Fuzzy Hash: 43b39875a9529af74ecb8ea98665c9fbdf0dfa17e2ed8d291a6f5bfb3f64b0aa
                • Instruction Fuzzy Hash: F0413BB3228A09BBDB246F68DC09BFA3794FB12300F540135F516D63A2DFA19D44B666
                Function 008B3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                Download Yara Rule

                Control-flow Graph

                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                • API String ID: 1825951767-3513169116
                • Opcode ID: 16dec98b3d415b9321735630409dec726028deb2c3afdd31c204fab8e3f3423f
                • Instruction ID: 2c36f0606f88eb52c73d6841ba36a7c1c0d6acb28f1e9ef7f0c3c72b5d9e903d
                • Opcode Fuzzy Hash: 16dec98b3d415b9321735630409dec726028deb2c3afdd31c204fab8e3f3423f
                • Instruction Fuzzy Hash: 09A14F7291021D9ADB14EBA8DC55AEEB778FF15300F44052AF415F7292DF70AA08CB62
                Function 01552868 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1009 1552868-15528ba call 1552768 CreateFileW 1012 15528c3-15528d0 1009->1012 1013 15528bc-15528be 1009->1013 1016 15528e3-15528fa VirtualAlloc 1012->1016 1017 15528d2-15528de 1012->1017 1014 1552a1c-1552a20 1013->1014 1018 1552903-1552929 CreateFileW 1016->1018 1019 15528fc-15528fe 1016->1019 1017->1014 1021 155294d-1552967 ReadFile 1018->1021 1022 155292b-1552948 1018->1022 1019->1014 1023 1552969-1552986 1021->1023 1024 155298b-155298f 1021->1024 1022->1014 1023->1014 1026 1552991-15529ae 1024->1026 1027 15529b0-15529c7 WriteFile 1024->1027 1026->1014 1028 15529f2-1552a17 CloseHandle VirtualFree 1027->1028 1029 15529c9-15529f0 1027->1029 1028->1014 1029->1014
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 015528AD
                Memory Dump Source
                • Source File: 00000000.00000002.2100028771.0000000001551000.00000040.00000020.00020000.00000000.sdmp, Offset: 01551000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1551000_Drawing&spec.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                • Instruction ID: c631de91b318dbfcfc4af26321a007fcacd002f85ca06a30b128c8d924a2a2da
                • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                • Instruction Fuzzy Hash: BD510A75A50208FBEB60DFA4CC59FDE77B8BF48710F108554FA09EA180DBB496448B60
                Function 008B39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1049 8b39d5-8b3a45 CreateWindowExW * 2 ShowWindow * 2
                APIs
                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008B3A03
                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008B3A24
                • ShowWindow.USER32(00000000,?,?), ref: 008B3A38
                • ShowWindow.USER32(00000000,?,?), ref: 008B3A41
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$CreateShow
                • String ID: AutoIt v3$edit
                • API String ID: 1584632944-3779509399
                • Opcode ID: b3b0d0ac38f2d2a5ec2674ca693a6f6ad046fdbc1105172bb0aec61e442a2320
                • Instruction ID: d14b9e61ea6062394c5d037377dbd035ec7a67b1d62e9a8945e4b7bf30629da9
                • Opcode Fuzzy Hash: b3b0d0ac38f2d2a5ec2674ca693a6f6ad046fdbc1105172bb0aec61e442a2320
                • Instruction Fuzzy Hash: 45F030729156907EEA7057136C19E272E7DD7C6F50F010029B918A2271C5A10880EE70
                Function 008B407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1050 8b407c-8b4092 1051 8b4098-8b40ad call 8b7a16 1050->1051 1052 8b416f-8b4173 1050->1052 1055 8ed3c8-8ed3d7 LoadStringW 1051->1055 1056 8b40b3-8b40d3 call 8b7bcc 1051->1056 1059 8ed3e2-8ed3fa call 8b7b2e call 8b6fe3 1055->1059 1056->1059 1060 8b40d9-8b40dd 1056->1060 1069 8b40ed-8b416a call 8d2de0 call 8b454e call 8d2dbc Shell_NotifyIconW call 8b5904 1059->1069 1072 8ed400-8ed41e call 8b7cab call 8b6fe3 call 8b7cab 1059->1072 1062 8b40e3-8b40e8 call 8b7b2e 1060->1062 1063 8b4174-8b417d call 8b8047 1060->1063 1062->1069 1063->1069 1069->1052 1072->1069
                APIs
                • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008ED3D7
                  • Part of subcall function 008B7BCC: _memmove.LIBCMT ref: 008B7C06
                • _memset.LIBCMT ref: 008B40FC
                • _wcscpy.LIBCMT ref: 008B4150
                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008B4160
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                • String ID: Line:
                • API String ID: 3942752672-1585850449
                • Opcode ID: c71053bb23545b422ebc2c48448f3e9c9d183a7ea5b3d1a2536e500423bfdd3b
                • Instruction ID: c065ff419a89035dd0c18ff4a27a58f1508993809afd81cb48147b6e207ea66e
                • Opcode Fuzzy Hash: c71053bb23545b422ebc2c48448f3e9c9d183a7ea5b3d1a2536e500423bfdd3b
                • Instruction Fuzzy Hash: 4B31C172408705ABD360EB64DC46BDB77E8FB80314F10451AF599D22A2EB70A648CB93
                Function 008D541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1085 8d541d-8d5436 1086 8d5438-8d543d 1085->1086 1087 8d5453 1085->1087 1086->1087 1088 8d543f-8d5441 1086->1088 1089 8d5455-8d545b 1087->1089 1090 8d545c-8d5461 1088->1090 1091 8d5443-8d5448 call 8d8b28 1088->1091 1093 8d546f-8d5473 1090->1093 1094 8d5463-8d546d 1090->1094 1102 8d544e call 8d8db6 1091->1102 1097 8d5475-8d5480 call 8d2de0 1093->1097 1098 8d5483-8d5485 1093->1098 1094->1093 1096 8d5493-8d54a2 1094->1096 1100 8d54a9 1096->1100 1101 8d54a4-8d54a7 1096->1101 1097->1098 1098->1091 1099 8d5487-8d5491 1098->1099 1099->1091 1099->1096 1104 8d54ae-8d54b3 1100->1104 1101->1104 1102->1087 1107 8d559c-8d559f 1104->1107 1108 8d54b9-8d54c0 1104->1108 1107->1089 1109 8d5501-8d5503 1108->1109 1110 8d54c2-8d54ca 1108->1110 1112 8d556d-8d556e call 8e0ba7 1109->1112 1113 8d5505-8d5507 1109->1113 1110->1109 1111 8d54cc 1110->1111 1117 8d55ca 1111->1117 1118 8d54d2-8d54d4 1111->1118 1119 8d5573-8d5577 1112->1119 1115 8d5509-8d5511 1113->1115 1116 8d552b-8d5536 1113->1116 1120 8d5521-8d5525 1115->1120 1121 8d5513-8d551f 1115->1121 1122 8d5538 1116->1122 1123 8d553a-8d553d 1116->1123 1126 8d55ce-8d55d7 1117->1126 1124 8d54db-8d54e0 1118->1124 1125 8d54d6-8d54d8 1118->1125 1119->1126 1127 8d5579-8d557e 1119->1127 1128 8d5527-8d5529 1120->1128 1121->1128 1122->1123 1129 8d553f-8d554b call 8d46e6 call 8e0e5b 1123->1129 1130 8d55a4-8d55a8 1123->1130 1124->1130 1131 8d54e6-8d54ff call 8e0cc8 1124->1131 1125->1124 1126->1089 1127->1130 1132 8d5580-8d5591 1127->1132 1128->1123 1146 8d5550-8d5555 1129->1146 1133 8d55ba-8d55c5 call 8d8b28 1130->1133 1134 8d55aa-8d55b7 call 8d2de0 1130->1134 1145 8d5562-8d556b 1131->1145 1137 8d5594-8d5596 1132->1137 1133->1102 1134->1133 1137->1107 1137->1108 1145->1137 1147 8d55dc-8d55e0 1146->1147 1148 8d555b-8d555e 1146->1148 1147->1126 1148->1117 1149 8d5560 1148->1149 1149->1145
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                • String ID:
                • API String ID: 1559183368-0
                • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                • Instruction ID: e29c5bdf9e9bc2108c58baf25983c013b821ae726223276297e2eb585f5f41bb
                • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                • Instruction Fuzzy Hash: A1519170A00B09DBDB259E69E88066E77B6FF40335F24872BF825D63D0D7719D908B46
                Function 008B686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1150 8b686a-8b6891 call 8b4ddd 1153 8b6897-8b68a5 call 8b4ddd 1150->1153 1154 8ee031-8ee041 call 91955b 1150->1154 1153->1154 1161 8b68ab-8b68b1 1153->1161 1157 8ee046-8ee048 1154->1157 1159 8ee04a-8ee04d call 8b4e4a 1157->1159 1160 8ee067-8ee0af call 8d0db6 1157->1160 1164 8ee052-8ee061 call 9142f8 1159->1164 1170 8ee0d4 1160->1170 1171 8ee0b1-8ee0bb 1160->1171 1161->1164 1165 8b68b7-8b68d9 call 8b6a8c 1161->1165 1164->1160 1173 8ee0d6-8ee0e9 1170->1173 1174 8ee0cf-8ee0d0 1171->1174 1175 8ee0ef 1173->1175 1176 8ee260-8ee263 call 8d2d55 1173->1176 1177 8ee0bd-8ee0cc 1174->1177 1178 8ee0d2 1174->1178 1179 8ee0f6-8ee0f9 call 8b7480 1175->1179 1182 8ee268-8ee271 call 8b4e4a 1176->1182 1177->1174 1178->1173 1184 8ee0fe-8ee120 call 8b5db2 call 9173e9 1179->1184 1187 8ee273-8ee283 call 8b7616 call 8b5d9b 1182->1187 1194 8ee134-8ee13e call 9173d3 1184->1194 1195 8ee122-8ee12f 1184->1195 1201 8ee288-8ee2b8 call 90f7a1 call 8d0e2c call 8d2d55 call 8b4e4a 1187->1201 1203 8ee158-8ee162 call 9173bd 1194->1203 1204 8ee140-8ee153 1194->1204 1197 8ee227-8ee237 call 8b750f 1195->1197 1197->1184 1207 8ee23d-8ee247 call 8b735d 1197->1207 1201->1187 1211 8ee176-8ee180 call 8b5e2a 1203->1211 1212 8ee164-8ee171 1203->1212 1204->1197 1214 8ee24c-8ee25a 1207->1214 1211->1197 1219 8ee186-8ee19e call 90f73d 1211->1219 1212->1197 1214->1176 1214->1179 1225 8ee1a0-8ee1bf call 8b7de1 call 8b5904 1219->1225 1226 8ee1c1-8ee1c4 1219->1226 1249 8ee1e2-8ee1f0 call 8b5db2 1225->1249 1227 8ee1c6-8ee1e1 call 8b7de1 call 8b6839 call 8b5904 1226->1227 1228 8ee1f2-8ee1f5 1226->1228 1227->1249 1232 8ee1f7-8ee200 call 90f65e 1228->1232 1233 8ee215-8ee218 call 91737f 1228->1233 1232->1201 1244 8ee206-8ee210 call 8d0e2c 1232->1244 1238 8ee21d-8ee226 call 8d0e2c 1233->1238 1238->1197 1244->1184 1249->1238
                APIs
                  • Part of subcall function 008B4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008B4E0F
                • _free.LIBCMT ref: 008EE263
                • _free.LIBCMT ref: 008EE2AA
                  • Part of subcall function 008B6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008B6BAD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _free$CurrentDirectoryLibraryLoad
                • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                • API String ID: 2861923089-1757145024
                • Opcode ID: 21f78a3fc180f6f7af3128de701ffe3ba18eb4b713a607ac170e87a610180e6d
                • Instruction ID: 33c17d54f3a8912c226a634c1ef41e32e28fa77d1539ff26f447ca9e65970740
                • Opcode Fuzzy Hash: 21f78a3fc180f6f7af3128de701ffe3ba18eb4b713a607ac170e87a610180e6d
                • Instruction Fuzzy Hash: 16918B71900259AFCF14EFA9C8919EDB7B8FF09314F04452AF816EB2A1DB70A945CB51
                Function 01554308 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 167fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 015541F8: Sleep.KERNELBASE(000001F4), ref: 01554209
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01554474
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2100028771.0000000001551000.00000040.00000020.00020000.00000000.sdmp, Offset: 01551000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1551000_Drawing&spec.jbxd
                Similarity
                • API ID: CreateFileSleep
                • String ID: J1I6DAXB3N8HBLMDI9K
                • API String ID: 2694422964-713792410
                • Opcode ID: e7f0a7c54cc089b680c262d20bf3dd0a585d3d5877b0ed11f42196072fe33525
                • Instruction ID: 6eda5e949f4fe29cf08b35f7413ff72bde432bdb089037b4b3ea7b36facc4baf
                • Opcode Fuzzy Hash: e7f0a7c54cc089b680c262d20bf3dd0a585d3d5877b0ed11f42196072fe33525
                • Instruction Fuzzy Hash: 56619430E04249DBEF11DBA4D8547EEBB79EF59300F004599E608BB2C0E7BA1B45CB66
                Function 008B35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008B35A1,SwapMouseButtons,00000004,?), ref: 008B35D4
                • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008B35A1,SwapMouseButtons,00000004,?,?,?,?,008B2754), ref: 008B35F5
                • RegCloseKey.KERNELBASE(00000000,?,?,008B35A1,SwapMouseButtons,00000004,?,?,?,?,008B2754), ref: 008B3617
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID: Control Panel\Mouse
                • API String ID: 3677997916-824357125
                • Opcode ID: 88ec2e8c3e32fac47a2e5d53e8525e0b13b10eecc8a9c4fe8e9ad70354190b24
                • Instruction ID: ca051e03e4c253386eafd29e1b30f83ef70b52a5b50a9e94f12abb299be56fe3
                • Opcode Fuzzy Hash: 88ec2e8c3e32fac47a2e5d53e8525e0b13b10eecc8a9c4fe8e9ad70354190b24
                • Instruction Fuzzy Hash: F01148B5914208BFDB218FA8DC80AEFB7B8FF16740F005469E805E7310D2719E40AB60
                Function 0091955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B4EE5: _fseek.LIBCMT ref: 008B4EFD
                  • Part of subcall function 00919734: _wcscmp.LIBCMT ref: 00919824
                  • Part of subcall function 00919734: _wcscmp.LIBCMT ref: 00919837
                • _free.LIBCMT ref: 009196A2
                • _free.LIBCMT ref: 009196A9
                • _free.LIBCMT ref: 00919714
                  • Part of subcall function 008D2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,008D9A24), ref: 008D2D69
                  • Part of subcall function 008D2D55: GetLastError.KERNEL32(00000000,?,008D9A24), ref: 008D2D7B
                • _free.LIBCMT ref: 0091971C
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                • String ID:
                • API String ID: 1552873950-0
                • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                • Instruction ID: e9dfc9b80068efdaca5d51c4a7462039183a706bdd157dff2399a53776e59fd4
                • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                • Instruction Fuzzy Hash: 04513FB1A04258ABDF249F68CC81AEEBB79FF48300F10459EB509E3351DB715A80CF59
                Function 008D470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                • String ID:
                • API String ID: 2782032738-0
                • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                • Instruction ID: 8047bf6c8c4065e669189429278dce43ae6937cefb09b2b6f6a25738c92c85de
                • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                • Instruction Fuzzy Hash: 54419375A0074A9BDF188EA9C8849AE77A6FF453A4B24973FE819C7740DB70DD409B40
                Function 008B7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 008EEA39
                • GetOpenFileNameW.COMDLG32(?), ref: 008EEA83
                  • Part of subcall function 008B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008B4743,?,?,008B37AE,?), ref: 008B4770
                  • Part of subcall function 008D0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008D07B0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Name$Path$FileFullLongOpen_memset
                • String ID: X
                • API String ID: 3777226403-3081909835
                • Opcode ID: e437d080436f0e39f71667df34deaa08dd6bf01bbd8dba91fc4f94e48cb08523
                • Instruction ID: 628924d0d8f3524271e3678658c3d5c66fb6e14d5716014ee21f881cc141dd92
                • Opcode Fuzzy Hash: e437d080436f0e39f71667df34deaa08dd6bf01bbd8dba91fc4f94e48cb08523
                • Instruction Fuzzy Hash: 2921C331A142989BCF519F98D845BEE7BF9FF49314F00405AE408EB341DBB45989CFA2
                Function 00918D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __fread_nolock_memmove
                • String ID: EA06
                • API String ID: 1988441806-3962188686
                • Opcode ID: 74a1464df89a14fbd6db64ffb74924e71c25931306516fed6176abe235ce6d90
                • Instruction ID: b1597027ef20c899de20cfc91534fff4041ed3086e7666395317af819473ef07
                • Opcode Fuzzy Hash: 74a1464df89a14fbd6db64ffb74924e71c25931306516fed6176abe235ce6d90
                • Instruction Fuzzy Hash: BE01F9719042187EDB18CAA8D816EEE7BFCDB11301F00469FF552D62C1E974E6048B60
                Function 01552F48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 01552F8D
                • ExitProcess.KERNEL32(00000000), ref: 01552FAC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2100028771.0000000001551000.00000040.00000020.00020000.00000000.sdmp, Offset: 01551000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1551000_Drawing&spec.jbxd
                Similarity
                • API ID: Process$CreateExit
                • String ID: D
                • API String ID: 126409537-2746444292
                • Opcode ID: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
                • Instruction ID: ea980a00aa042b1672788e9a8281156be378bfc649aa2b5121e71434b3e22a01
                • Opcode Fuzzy Hash: eaefe38700dea64172a30051a10e55a487822181055063bbb51e2642d874e9cd
                • Instruction Fuzzy Hash: CCF0ECB154024DABDB60EFE0CC49FEE7778BF48701F408509BA1A9A184EA7496488B61
                Function 009198E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                Download Yara Rule
                APIs
                • GetTempPathW.KERNEL32(00000104,?), ref: 009198F8
                • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0091990F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Temp$FileNamePath
                • String ID: aut
                • API String ID: 3285503233-3010740371
                • Opcode ID: b9ecbd7c7cbbbb31f460d4efceaba40671d542065102edb1c77f8dc231b6d6e1
                • Instruction ID: 7b74f2153e0d2acc7bdc2e92ae931403ef24cd9cefb43dd032bdfc8d9d7dbeeb
                • Opcode Fuzzy Hash: b9ecbd7c7cbbbb31f460d4efceaba40671d542065102edb1c77f8dc231b6d6e1
                • Instruction Fuzzy Hash: A6D05E7994430DABDB60DBA0DC0EF9BB73CE744704F0002B1BA64920A1EAB095989F91
                Function 0092CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 384c14e9649377a885eb21d54da9ce92078e86a4770c15282c360ba8832ecb23
                • Instruction ID: f490ef43d96f4c763b4e7fb14e9456727f63bcb1c802fd26b22f97b4c75f2452
                • Opcode Fuzzy Hash: 384c14e9649377a885eb21d54da9ce92078e86a4770c15282c360ba8832ecb23
                • Instruction Fuzzy Hash: 3DF104B16083119FCB14DF28D580A6EBBE5FF89314F14892EF8999B291D730E945CF82
                Function 008BF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008D0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008D0193
                  • Part of subcall function 008D0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 008D019B
                  • Part of subcall function 008D0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008D01A6
                  • Part of subcall function 008D0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008D01B1
                  • Part of subcall function 008D0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 008D01B9
                  • Part of subcall function 008D0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 008D01C1
                  • Part of subcall function 008C60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,008BF930), ref: 008C6154
                • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008BF9CD
                • OleInitialize.OLE32(00000000), ref: 008BFA4A
                • CloseHandle.KERNEL32(00000000), ref: 008F45C8
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                • String ID:
                • API String ID: 1986988660-0
                • Opcode ID: 9ecf01efd8524b9fe8cdc3b0d796c10377cc75e31417271dda5032a63709b708
                • Instruction ID: b9a3b3d88afc3905447bb6713a5c8b176f60bdda147337e79729d0876fa4a1cc
                • Opcode Fuzzy Hash: 9ecf01efd8524b9fe8cdc3b0d796c10377cc75e31417271dda5032a63709b708
                • Instruction Fuzzy Hash: E981AEB2929B40CFD3D4DF39A845A597BE5FB98306B52852AA01DCB371E7F044C4AF11
                Function 008B434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 008B4370
                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008B4415
                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008B4432
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: IconNotifyShell_$_memset
                • String ID:
                • API String ID: 1505330794-0
                • Opcode ID: e4995b40ae9378fd4e5d9a101900e328bca6b2fe243601b06b83a8b00d7f3d2d
                • Instruction ID: a64f42eed3db0056a8d901927a896a0783ca04994e70963c4428fd93e6e2abf2
                • Opcode Fuzzy Hash: e4995b40ae9378fd4e5d9a101900e328bca6b2fe243601b06b83a8b00d7f3d2d
                • Instruction Fuzzy Hash: 193173715197018FD761DF24D885ADBBBF8FB58308F00092EF59AC2352D7B1A984CB56
                Function 008D571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __FF_MSGBANNER.LIBCMT ref: 008D5733
                  • Part of subcall function 008DA16B: __NMSG_WRITE.LIBCMT ref: 008DA192
                  • Part of subcall function 008DA16B: __NMSG_WRITE.LIBCMT ref: 008DA19C
                • __NMSG_WRITE.LIBCMT ref: 008D573A
                  • Part of subcall function 008DA1C8: GetModuleFileNameW.KERNEL32(00000000,009733BA,00000104,?,00000001,00000000), ref: 008DA25A
                  • Part of subcall function 008DA1C8: ___crtMessageBoxW.LIBCMT ref: 008DA308
                  • Part of subcall function 008D309F: ___crtCorExitProcess.LIBCMT ref: 008D30A5
                  • Part of subcall function 008D309F: ExitProcess.KERNEL32 ref: 008D30AE
                  • Part of subcall function 008D8B28: __getptd_noexit.LIBCMT ref: 008D8B28
                • RtlAllocateHeap.NTDLL(014B0000,00000000,00000001,00000000,?,?,?,008D0DD3,?), ref: 008D575F
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                • String ID:
                • API String ID: 1372826849-0
                • Opcode ID: c4ecf297882acf25b664017805ff21e517373a0639f9213d00e8266ecbae9efb
                • Instruction ID: db566a526ed39ddcd60169cdf056c200dcee4675555ee6ca1edeb077fe615ce6
                • Opcode Fuzzy Hash: c4ecf297882acf25b664017805ff21e517373a0639f9213d00e8266ecbae9efb
                • Instruction Fuzzy Hash: 0101F532244B11EAD614273DEC42B2E7788FB42371F700327F409DA381DE708C405662
                Function 009198A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00919548,?,?,?,?,?,00000004), ref: 009198BB
                • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00919548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009198D1
                • CloseHandle.KERNEL32(00000000,?,00919548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009198D8
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: File$CloseCreateHandleTime
                • String ID:
                • API String ID: 3397143404-0
                • Opcode ID: 38fee3acbb4fe45b41fd1cf89d012c92c99055b3d540b18d7ae090053b2e1254
                • Instruction ID: d895a519209468c60208c5cb9d7b3070bfff78a892f8839a9e89e05712163b54
                • Opcode Fuzzy Hash: 38fee3acbb4fe45b41fd1cf89d012c92c99055b3d540b18d7ae090053b2e1254
                • Instruction Fuzzy Hash: FCE08632644218BBD7211B94EC19FDA7B59EB06760F104220FB14690E087B12511AB98
                Function 00918D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 00918D1B
                  • Part of subcall function 008D2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,008D9A24), ref: 008D2D69
                  • Part of subcall function 008D2D55: GetLastError.KERNEL32(00000000,?,008D9A24), ref: 008D2D7B
                • _free.LIBCMT ref: 00918D2C
                • _free.LIBCMT ref: 00918D3E
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                • Instruction ID: 8468dea78a88c4b280f2a054e84ddc015662a4924993645ec4fe25ef97804ae5
                • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                • Instruction Fuzzy Hash: 20E012A570270946CB25A57CB940AD313DD9F693527140A1EB40DD72C6CE64F8829124
                Function 008BA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID: CALL
                • API String ID: 0-4196123274
                • Opcode ID: 072b05060589635bb2273dbe08eec4524dfeeee8d29241149a40f306547e307a
                • Instruction ID: 6a673967e463426247c8ef5f43868d8ef1c30a334f00a58ba902a8ddeef57995
                • Opcode Fuzzy Hash: 072b05060589635bb2273dbe08eec4524dfeeee8d29241149a40f306547e307a
                • Instruction Fuzzy Hash: 55222670508245DFC728DF28C490AAABBE1FF85314F14896DE99ADB362D771E845CB82
                Function 008B4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memmove
                • String ID: EA06
                • API String ID: 4104443479-3962188686
                • Opcode ID: 062b163f57a0b2644d34dd7668353301a3b6daa79aad9c8e4f5ac07d19805485
                • Instruction ID: 4ed0a2ead67d3678ea81b72d588c1702223ae313f7b8eeae4c6f35319b658b68
                • Opcode Fuzzy Hash: 062b163f57a0b2644d34dd7668353301a3b6daa79aad9c8e4f5ac07d19805485
                • Instruction Fuzzy Hash: 9F414921A0425C6BDF219B68C8637FE7FA2FB45304F6C6475E886DB383D6349D4483A2
                Function 008B7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 8a1fad2dc96cfc5bda97f6ddc727d0ae725561dd87fd932f273e0287656629b4
                • Instruction ID: 8cca4060f50edb9ef2917dcf9a87767a0f4224ee93654ff0136f569873808226
                • Opcode Fuzzy Hash: 8a1fad2dc96cfc5bda97f6ddc727d0ae725561dd87fd932f273e0287656629b4
                • Instruction Fuzzy Hash: CC31B8B1604616AFC704DF68C8D1EADF7A5FF88320B15862AE519CB391EB30E910CB90
                Function 008B47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                Download Yara Rule
                APIs
                • IsThemeActive.UXTHEME ref: 008B4834
                  • Part of subcall function 008D336C: __lock.LIBCMT ref: 008D3372
                  • Part of subcall function 008D336C: DecodePointer.KERNEL32(00000001,?,008B4849,00907C74), ref: 008D337E
                  • Part of subcall function 008D336C: EncodePointer.KERNEL32(?,?,008B4849,00907C74), ref: 008D3389
                  • Part of subcall function 008B48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 008B4915
                  • Part of subcall function 008B48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008B492A
                  • Part of subcall function 008B3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008B3B68
                  • Part of subcall function 008B3B3A: IsDebuggerPresent.KERNEL32 ref: 008B3B7A
                  • Part of subcall function 008B3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,009752F8,009752E0,?,?), ref: 008B3BEB
                  • Part of subcall function 008B3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 008B3C6F
                • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008B4874
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                • String ID:
                • API String ID: 1438897964-0
                • Opcode ID: 2a7a57cda14b1b783229d72616aeae9a3b7967332fcdce6946f720e4d2f070bc
                • Instruction ID: 4d8c84641d076350702b10cceed8a4a173fb95aa09cd7cbcc917c603a0e3833a
                • Opcode Fuzzy Hash: 2a7a57cda14b1b783229d72616aeae9a3b7967332fcdce6946f720e4d2f070bc
                • Instruction Fuzzy Hash: 8B1190729187419FC700DF28E80594ABBE8FF85750F10492EF199C33B2DBB09588DB92
                Function 008D0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 008D571C: __FF_MSGBANNER.LIBCMT ref: 008D5733
                  • Part of subcall function 008D571C: __NMSG_WRITE.LIBCMT ref: 008D573A
                  • Part of subcall function 008D571C: RtlAllocateHeap.NTDLL(014B0000,00000000,00000001,00000000,?,?,?,008D0DD3,?), ref: 008D575F
                • std::exception::exception.LIBCMT ref: 008D0DEC
                • __CxxThrowException@8.LIBCMT ref: 008D0E01
                  • Part of subcall function 008D859B: RaiseException.KERNEL32(?,?,?,00969E78,00000000,?,?,?,?,008D0E06,?,00969E78,?,00000001), ref: 008D85F0
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                • String ID:
                • API String ID: 3902256705-0
                • Opcode ID: dd660b513062c66d0da07247e0136df4eb66fa527bae7d092166dbbe5f0151c1
                • Instruction ID: 5231f78947e5e6b7e36f77ab034aa8e5f009d69068d179a96d78870a876642b3
                • Opcode Fuzzy Hash: dd660b513062c66d0da07247e0136df4eb66fa527bae7d092166dbbe5f0151c1
                • Instruction Fuzzy Hash: 85F0A43190431DA6CB20BBA8EC05ADE77ADFF01355F10066BF904E6381EF719A50DAE6
                Function 008D55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __lock_file_memset
                • String ID:
                • API String ID: 26237723-0
                • Opcode ID: 74159b1ba59865f526b705855b822f4d949b7c209f03d614173d272b4bfbf383
                • Instruction ID: 7158ef332d71fa282f16085e1f4895b9388ad9ef016633be9273efd20fb5f940
                • Opcode Fuzzy Hash: 74159b1ba59865f526b705855b822f4d949b7c209f03d614173d272b4bfbf383
                • Instruction Fuzzy Hash: 79015271800609EACF11AF69DC0289E7B61FF61361B544317B424D6391DB318551DF52
                Function 008D53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 008D8B28: __getptd_noexit.LIBCMT ref: 008D8B28
                • __lock_file.LIBCMT ref: 008D53EB
                  • Part of subcall function 008D6C11: __lock.LIBCMT ref: 008D6C34
                • __fclose_nolock.LIBCMT ref: 008D53F6
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                • String ID:
                • API String ID: 2800547568-0
                • Opcode ID: 949eb2a10a85a04f01a25cf46fcd8d4c3e64e3a472d35e3e8ef6398f10fb7278
                • Instruction ID: c21234e817f2d86b9425c352af753880965a6cc2baba37ec9376e99cd9a599d3
                • Opcode Fuzzy Hash: 949eb2a10a85a04f01a25cf46fcd8d4c3e64e3a472d35e3e8ef6398f10fb7278
                • Instruction Fuzzy Hash: B9F09071800A04DADB14AB6D9802BAD7BA0FF42374F20830BA464EB3C1CBBC89419B57
                Function 01552FB8 Relevance: 1.7, APIs: 1, Instructions: 163COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 01552828: GetFileAttributesW.KERNELBASE(?), ref: 01552833
                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01553102
                Memory Dump Source
                • Source File: 00000000.00000002.2100028771.0000000001551000.00000040.00000020.00020000.00000000.sdmp, Offset: 01551000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1551000_Drawing&spec.jbxd
                Similarity
                • API ID: AttributesCreateDirectoryFile
                • String ID:
                • API String ID: 3401506121-0
                • Opcode ID: 73ec5d08070f7b30050c2de201a0f61f06ecf22841ddd8226ac95e6faa296716
                • Instruction ID: 4a6749f825f0c3ede8e0405808c0709f88f74880066bb8d2c6c1ceb68e5e845f
                • Opcode Fuzzy Hash: 73ec5d08070f7b30050c2de201a0f61f06ecf22841ddd8226ac95e6faa296716
                • Instruction Fuzzy Hash: 70519431A1120996EF14EFB0D814BEE7379FF58300F108569A909FB280EB799B45CB65
                Function 008D0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction ID: c7f2cb560ca541b80cc61da76ca8f0aea59345914acc88ddbdfc92f894c5db2e
                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction Fuzzy Hash: 4831B170A101099BC718DF59C484A69F7A6FB59314F6487A6E80ACB355DB31EEC1DFC0
                Function 008EFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: 0b4f5dc5276fb9ba8e7988e4755a9a13ab7f19cceb6090e860d2a941e7e9174a
                • Instruction ID: 35c8c79b1fcbd86de960a10687b75aed550fbcba58e27664728212c7d888b942
                • Opcode Fuzzy Hash: 0b4f5dc5276fb9ba8e7988e4755a9a13ab7f19cceb6090e860d2a941e7e9174a
                • Instruction Fuzzy Hash: 7341F5746043419FDB24DF28C454B6ABBE1FF45318F0989ACE9998B362C771E845CF52
                Function 008B4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 008B4BEF
                  • Part of subcall function 008D525B: __wfsopen.LIBCMT ref: 008D5266
                • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008B4E0F
                  • Part of subcall function 008B4B6A: FreeLibrary.KERNEL32(00000000), ref: 008B4BA4
                  • Part of subcall function 008B4C70: _memmove.LIBCMT ref: 008B4CBA
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Library$Free$Load__wfsopen_memmove
                • String ID:
                • API String ID: 1396898556-0
                • Opcode ID: 2468e6dd1882d0528f607cd36e44530967d4f9c8dfc29127e213aa0d3fec62f0
                • Instruction ID: 9d7fb043187b627b0789800d87819ffbbae361326bc2bdbc6020c8c586abe6b0
                • Opcode Fuzzy Hash: 2468e6dd1882d0528f607cd36e44530967d4f9c8dfc29127e213aa0d3fec62f0
                • Instruction Fuzzy Hash: C711C43160420AABCF10AFB8CC13FED77A5FF44720F108829F541E7283DA7199049B52
                Function 008EFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: 3a311e7b2e76f28c37411c13d905c265468b1a309aaf190fafc043825c8e84b7
                • Instruction ID: df15ffc172b1a2647feb22949a1d1bce33c17d33c769a1881c7ea45770d7b5aa
                • Opcode Fuzzy Hash: 3a311e7b2e76f28c37411c13d905c265468b1a309aaf190fafc043825c8e84b7
                • Instruction Fuzzy Hash: 2121FFB4908345DFCB24DF24C454A6ABBE0FF88314F058968E99A97722D731E809CF92
                Function 008D4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                Download Yara Rule
                APIs
                • __lock_file.LIBCMT ref: 008D48A6
                  • Part of subcall function 008D8B28: __getptd_noexit.LIBCMT ref: 008D8B28
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __getptd_noexit__lock_file
                • String ID:
                • API String ID: 2597487223-0
                • Opcode ID: 698c086a4587ad2279ca4b373d6010c402e8a5676259fd07e108f565ce8345ef
                • Instruction ID: 7dedd1ffa34a24421722c058223f5c91fc52868a69e6074e47d39589410ab91c
                • Opcode Fuzzy Hash: 698c086a4587ad2279ca4b373d6010c402e8a5676259fd07e108f565ce8345ef
                • Instruction Fuzzy Hash: 54F0AF31900649EBDF11AFA8CC067AE37A1FF00365F159626B424DA391DBB88951EB52
                Function 008B4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • FreeLibrary.KERNEL32(?,?,009752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008B4E7E
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FreeLibrary
                • String ID:
                • API String ID: 3664257935-0
                • Opcode ID: 948b4b622869ab6b72cb9f54053c332eed3c3514eccd1a8a3599fa893cbe45db
                • Instruction ID: 956aa3f939aa6e64400d24ed2a83e9acd3943509d5265670b27efadd0932b7c2
                • Opcode Fuzzy Hash: 948b4b622869ab6b72cb9f54053c332eed3c3514eccd1a8a3599fa893cbe45db
                • Instruction Fuzzy Hash: 5BF0F271505711CFCB349F64E895892BBE1FB143393209A2EE19682722C772E840DB40
                Function 008D0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule
                APIs
                • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008D07B0
                  • Part of subcall function 008B7BCC: _memmove.LIBCMT ref: 008B7C06
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: LongNamePath_memmove
                • String ID:
                • API String ID: 2514874351-0
                • Opcode ID: 008012267f41ddbb71840948f72d67a48fc78bb2851a3fb959d85927394137dd
                • Instruction ID: 24ff924249748af08ffc75b7659638563f5340d222f312f89dbee4ecc90cc322
                • Opcode Fuzzy Hash: 008012267f41ddbb71840948f72d67a48fc78bb2851a3fb959d85927394137dd
                • Instruction Fuzzy Hash: 6FE0863690422857C720A66D9C05FEA779DEB897A0F0441B5FC08D7245D9609C808A91
                Function 00918E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __fread_nolock
                • String ID:
                • API String ID: 2638373210-0
                • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                • Instruction ID: 30c9aeb670e2394a22c3a91cb050e2593157d88b6ec054be52166b23ac4bf4ae
                • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                • Instruction Fuzzy Hash: F6E092B0204B045BD7399A24D801BE377E5EB05304F00091DF2AAC3241EB6278819759
                Function 01552828 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?), ref: 01552833
                Memory Dump Source
                • Source File: 00000000.00000002.2100028771.0000000001551000.00000040.00000020.00020000.00000000.sdmp, Offset: 01551000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1551000_Drawing&spec.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                • Instruction ID: b6414ba49421be9d17a8a5450ea55c81085baa008c6a7f51dd597962bfd2744e
                • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                • Instruction Fuzzy Hash: 46E08C30A05308EBDB98CEE8C964AAD73A8BB04320F104A6EBD1ACB280D6309A04D750
                Function 015527F8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?), ref: 01552803
                Memory Dump Source
                • Source File: 00000000.00000002.2100028771.0000000001551000.00000040.00000020.00020000.00000000.sdmp, Offset: 01551000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1551000_Drawing&spec.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                • Instruction ID: fe692e7a808ec8ef84dbc5d9d51e3bfe72d80f87c29622f9b14b00b1ec283b27
                • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                • Instruction Fuzzy Hash: 65D05E3090520CEBCB60CAE9990499D73A8EB05320F008755FD15872C0D63199009790
                Function 008D525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __wfsopen
                • String ID:
                • API String ID: 197181222-0
                • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                • Instruction ID: 61ebc19dbf1bf0c257be23ac3c7279a10b285bfb0fdb7e5d96760295420e8c96
                • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                • Instruction Fuzzy Hash: 01B0927644020C77CE012A86EC02A493B1AAB41B64F408022FB0C18262E673A6689A8A
                Function 015541F4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 01554209
                Memory Dump Source
                • Source File: 00000000.00000002.2100028771.0000000001551000.00000040.00000020.00020000.00000000.sdmp, Offset: 01551000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1551000_Drawing&spec.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                • Instruction ID: b148edb1514e51cc91858cad88f40878bd21bae8570846575bb689992f683c5d
                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                • Instruction Fuzzy Hash: EAE09A7494410DAFDB00DFA4D54969D7BB4EF04302F1005A1FD0596680DA309A549A62
                Function 015541F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 01554209
                Memory Dump Source
                • Source File: 00000000.00000002.2100028771.0000000001551000.00000040.00000020.00020000.00000000.sdmp, Offset: 01551000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1551000_Drawing&spec.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction ID: fb0fbed3a29ebf985e53c8677d2011026ecfc68df2b0bb0cc849d1097aaf404f
                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction Fuzzy Hash: A4E0E67494410DDFDB00DFF4D54969D7BF4FF04302F100161FD01D2280D6309D509A62

                Non-executed Functions

                Function 0093CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B2612: GetWindowLongW.USER32(?,000000EB), ref: 008B2623
                • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0093CB37
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0093CB95
                • GetWindowLongW.USER32(?,000000F0), ref: 0093CBD6
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0093CC00
                • SendMessageW.USER32 ref: 0093CC29
                • _wcsncpy.LIBCMT ref: 0093CC95
                • GetKeyState.USER32(00000011), ref: 0093CCB6
                • GetKeyState.USER32(00000009), ref: 0093CCC3
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0093CCD9
                • GetKeyState.USER32(00000010), ref: 0093CCE3
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0093CD0C
                • SendMessageW.USER32 ref: 0093CD33
                • SendMessageW.USER32(?,00001030,?,0093B348), ref: 0093CE37
                • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0093CE4D
                • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0093CE60
                • SetCapture.USER32(?), ref: 0093CE69
                • ClientToScreen.USER32(?,?), ref: 0093CECE
                • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0093CEDB
                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0093CEF5
                • ReleaseCapture.USER32 ref: 0093CF00
                • GetCursorPos.USER32(?), ref: 0093CF3A
                • ScreenToClient.USER32(?,?), ref: 0093CF47
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0093CFA3
                • SendMessageW.USER32 ref: 0093CFD1
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0093D00E
                • SendMessageW.USER32 ref: 0093D03D
                • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0093D05E
                • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0093D06D
                • GetCursorPos.USER32(?), ref: 0093D08D
                • ScreenToClient.USER32(?,?), ref: 0093D09A
                • GetParent.USER32(?), ref: 0093D0BA
                • SendMessageW.USER32(?,00001012,00000000,?), ref: 0093D123
                • SendMessageW.USER32 ref: 0093D154
                • ClientToScreen.USER32(?,?), ref: 0093D1B2
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0093D1E2
                • SendMessageW.USER32(?,00001111,00000000,?), ref: 0093D20C
                • SendMessageW.USER32 ref: 0093D22F
                • ClientToScreen.USER32(?,?), ref: 0093D281
                • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0093D2B5
                  • Part of subcall function 008B25DB: GetWindowLongW.USER32(?,000000EB), ref: 008B25EC
                • GetWindowLongW.USER32(?,000000F0), ref: 0093D351
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                • String ID: @GUI_DRAGID$F
                • API String ID: 3977979337-4164748364
                • Opcode ID: cad69b077d3d047160ec7b60c705069d70e00384e76f696a7f00f65811ec33cc
                • Instruction ID: 88a78cad67e4ab2623eb00c3cb7adbd98a0ffe8695aa321af6d273e5b0c549dd
                • Opcode Fuzzy Hash: cad69b077d3d047160ec7b60c705069d70e00384e76f696a7f00f65811ec33cc
                • Instruction Fuzzy Hash: 4B42BBB4608A41AFDB24CF28D855EAABBF9FF48314F140919F599A72B0C771D840EF52
                Function 00937DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 009384D0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: %d/%02d/%02d
                • API String ID: 3850602802-328681919
                • Opcode ID: a1591d4ca8730519f35c832b3d6736f893bd8281dce56ecc1cb5ce290b359aa2
                • Instruction ID: 8cc27e7ac4019e3c20b72f3add8277f93c29b4031a37bffb3ef8cc0c071ec531
                • Opcode Fuzzy Hash: a1591d4ca8730519f35c832b3d6736f893bd8281dce56ecc1cb5ce290b359aa2
                • Instruction Fuzzy Hash: 1612CC71A04309ABEB249F68CC49FAB7BB8FF45314F10462AF915EA2E1DB748945CF10
                Function 008C6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memmove$_memset
                • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                • API String ID: 1357608183-1798697756
                • Opcode ID: 7ffcf1dfc7a7e48b44a4601ebdc734086d9072ed819879ac83175b758838bec9
                • Instruction ID: 4553377d6bf5d3d2e21b937425b2ed8d77ee3958808f5a89c705c561839a771a
                • Opcode Fuzzy Hash: 7ffcf1dfc7a7e48b44a4601ebdc734086d9072ed819879ac83175b758838bec9
                • Instruction Fuzzy Hash: 1E93BF71A04219DFDB24CFA8C881BADB7B5FF48710F24856AE955EB2C1E7749E81CB40
                Function 008B48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(00000000,?), ref: 008B48DF
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008ED665
                • IsIconic.USER32(?), ref: 008ED66E
                • ShowWindow.USER32(?,00000009), ref: 008ED67B
                • SetForegroundWindow.USER32(?), ref: 008ED685
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008ED69B
                • GetCurrentThreadId.KERNEL32 ref: 008ED6A2
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 008ED6AE
                • AttachThreadInput.USER32(?,00000000,00000001), ref: 008ED6BF
                • AttachThreadInput.USER32(?,00000000,00000001), ref: 008ED6C7
                • AttachThreadInput.USER32(00000000,?,00000001), ref: 008ED6CF
                • SetForegroundWindow.USER32(?), ref: 008ED6D2
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 008ED6E7
                • keybd_event.USER32(00000012,00000000), ref: 008ED6F2
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 008ED6FC
                • keybd_event.USER32(00000012,00000000), ref: 008ED701
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 008ED70A
                • keybd_event.USER32(00000012,00000000), ref: 008ED70F
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 008ED719
                • keybd_event.USER32(00000012,00000000), ref: 008ED71E
                • SetForegroundWindow.USER32(?), ref: 008ED721
                • AttachThreadInput.USER32(?,?,00000000), ref: 008ED748
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                • String ID: Shell_TrayWnd
                • API String ID: 4125248594-2988720461
                • Opcode ID: a3e3048af370830898b0ca219d349e100f3423c88ae83f29ede33eeff6eb5ad5
                • Instruction ID: a3aa82318027e2527ff79a9583bad41a3029e1f19275710cad3c0351d2295fb3
                • Opcode Fuzzy Hash: a3e3048af370830898b0ca219d349e100f3423c88ae83f29ede33eeff6eb5ad5
                • Instruction Fuzzy Hash: 35315271A5435CBBEB206BA29C4AF7F7E6CEB45B50F104025FA05EA1E1C6B05D01BEA1
                Function 00908310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 009087E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0090882B
                  • Part of subcall function 009087E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00908858
                  • Part of subcall function 009087E1: GetLastError.KERNEL32 ref: 00908865
                • _memset.LIBCMT ref: 00908353
                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009083A5
                • CloseHandle.KERNEL32(?), ref: 009083B6
                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009083CD
                • GetProcessWindowStation.USER32 ref: 009083E6
                • SetProcessWindowStation.USER32(00000000), ref: 009083F0
                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0090840A
                  • Part of subcall function 009081CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00908309), ref: 009081E0
                  • Part of subcall function 009081CB: CloseHandle.KERNEL32(?,?,00908309), ref: 009081F2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                • String ID: $default$winsta0
                • API String ID: 2063423040-1027155976
                • Opcode ID: dadd90c79dc93e8a17e446a7948dbb6eb52578edcc56796414c481092914d00a
                • Instruction ID: c5bfe365b3a1f049da7f2687c544588a2f68c145d2b2b5097eda33d677e5683f
                • Opcode Fuzzy Hash: dadd90c79dc93e8a17e446a7948dbb6eb52578edcc56796414c481092914d00a
                • Instruction Fuzzy Hash: AB815BB1A04209AFDF119FA4CC45AEFBBBDFF04308F144169F954A62A1DB318E14DB20
                Function 0091C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 0091C78D
                • FindClose.KERNEL32(00000000), ref: 0091C7E1
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0091C806
                • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0091C81D
                • FileTimeToSystemTime.KERNEL32(?,?), ref: 0091C844
                • __swprintf.LIBCMT ref: 0091C890
                • __swprintf.LIBCMT ref: 0091C8D3
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                • __swprintf.LIBCMT ref: 0091C927
                  • Part of subcall function 008D3698: __woutput_l.LIBCMT ref: 008D36F1
                • __swprintf.LIBCMT ref: 0091C975
                  • Part of subcall function 008D3698: __flsbuf.LIBCMT ref: 008D3713
                  • Part of subcall function 008D3698: __flsbuf.LIBCMT ref: 008D372B
                • __swprintf.LIBCMT ref: 0091C9C4
                • __swprintf.LIBCMT ref: 0091CA13
                • __swprintf.LIBCMT ref: 0091CA62
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                • API String ID: 3953360268-2428617273
                • Opcode ID: e10b78018d51a01215270a19c8b23db54217edac77ad502e8a634fdc8187ed26
                • Instruction ID: 9175984c669127f30b69758c1d20f1f46bff039dbb5ed91f0b66a98aa71aef14
                • Opcode Fuzzy Hash: e10b78018d51a01215270a19c8b23db54217edac77ad502e8a634fdc8187ed26
                • Instruction Fuzzy Hash: 18A10AB1508304ABD750EBA8D885DEFB7ECFF95704F400929F595C6291EA34EA48CB63
                Function 0091EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0091EFB6
                • _wcscmp.LIBCMT ref: 0091EFCB
                • _wcscmp.LIBCMT ref: 0091EFE2
                • GetFileAttributesW.KERNEL32(?), ref: 0091EFF4
                • SetFileAttributesW.KERNEL32(?,?), ref: 0091F00E
                • FindNextFileW.KERNEL32(00000000,?), ref: 0091F026
                • FindClose.KERNEL32(00000000), ref: 0091F031
                • FindFirstFileW.KERNEL32(*.*,?), ref: 0091F04D
                • _wcscmp.LIBCMT ref: 0091F074
                • _wcscmp.LIBCMT ref: 0091F08B
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0091F09D
                • SetCurrentDirectoryW.KERNEL32(00968920), ref: 0091F0BB
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0091F0C5
                • FindClose.KERNEL32(00000000), ref: 0091F0D2
                • FindClose.KERNEL32(00000000), ref: 0091F0E4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                • String ID: *.*
                • API String ID: 1803514871-438819550
                • Opcode ID: 13afe1c05e6fe282b93469e8cd399791e9228eee7e54cca46b4e48ee7ed03219
                • Instruction ID: 3e1cb66b9b7ca274506d52b756116722fd4ee802612e06892dd029809599c14b
                • Opcode Fuzzy Hash: 13afe1c05e6fe282b93469e8cd399791e9228eee7e54cca46b4e48ee7ed03219
                • Instruction Fuzzy Hash: 6131D632A0521D6ADB14DFB4EC68AEE77ACAF49360F100176E814D31A1DB70DE84DE51
                Function 00930857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                Download Yara Rule
                APIs
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00930953
                • RegCreateKeyExW.ADVAPI32(?,?,00000000,0093F910,00000000,?,00000000,?,?), ref: 009309C1
                • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00930A09
                • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00930A92
                • RegCloseKey.ADVAPI32(?), ref: 00930DB2
                • RegCloseKey.ADVAPI32(00000000), ref: 00930DBF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Close$ConnectCreateRegistryValue
                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                • API String ID: 536824911-966354055
                • Opcode ID: f465a3a010514854c2be13bec0d1e4af90aa261a2a52c24646821227a478f845
                • Instruction ID: 229740001c9e1052985f8809a707bf818dd34c5f07c514e39fe4320eda0b8cc9
                • Opcode Fuzzy Hash: f465a3a010514854c2be13bec0d1e4af90aa261a2a52c24646821227a478f845
                • Instruction Fuzzy Hash: 660239756046119FCB14EF18C851E6AB7E5FF89314F04896DF99A9B3A2CB30EC45CB82
                Function 0091F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0091F113
                • _wcscmp.LIBCMT ref: 0091F128
                • _wcscmp.LIBCMT ref: 0091F13F
                  • Part of subcall function 00914385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009143A0
                • FindNextFileW.KERNEL32(00000000,?), ref: 0091F16E
                • FindClose.KERNEL32(00000000), ref: 0091F179
                • FindFirstFileW.KERNEL32(*.*,?), ref: 0091F195
                • _wcscmp.LIBCMT ref: 0091F1BC
                • _wcscmp.LIBCMT ref: 0091F1D3
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0091F1E5
                • SetCurrentDirectoryW.KERNEL32(00968920), ref: 0091F203
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0091F20D
                • FindClose.KERNEL32(00000000), ref: 0091F21A
                • FindClose.KERNEL32(00000000), ref: 0091F22C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                • String ID: *.*
                • API String ID: 1824444939-438819550
                • Opcode ID: 6d0bc6e49c9ccc2be3308e7af7b50498eb2892f8088a8906b318a120cb6c78d7
                • Instruction ID: d8ed2eb835b5195cd64539361e44a27b8c45080f63b11ff6ed4ec247ac7873c7
                • Opcode Fuzzy Hash: 6d0bc6e49c9ccc2be3308e7af7b50498eb2892f8088a8906b318a120cb6c78d7
                • Instruction Fuzzy Hash: F5310736A0421DBACF149B64EC68EEE77ACAF85360F100671E814E31A0DB30DE85DE55
                Function 0091A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0091A20F
                • __swprintf.LIBCMT ref: 0091A231
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 0091A26E
                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0091A293
                • _memset.LIBCMT ref: 0091A2B2
                • _wcsncpy.LIBCMT ref: 0091A2EE
                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0091A323
                • CloseHandle.KERNEL32(00000000), ref: 0091A32E
                • RemoveDirectoryW.KERNEL32(?), ref: 0091A337
                • CloseHandle.KERNEL32(00000000), ref: 0091A341
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                • String ID: :$\$\??\%s
                • API String ID: 2733774712-3457252023
                • Opcode ID: 1f4934318cd60d75d9ec32ad1a260051d2c13d2a31db2c1eb997625e43bcd9b1
                • Instruction ID: 54900be3d0f99146c1ae42d0dd5f797ad918d85ce3c2755196b3181e016a8993
                • Opcode Fuzzy Hash: 1f4934318cd60d75d9ec32ad1a260051d2c13d2a31db2c1eb997625e43bcd9b1
                • Instruction Fuzzy Hash: 0E31B471A04109ABDB21DFA4DC49FEB77BCEF89740F1041B6F918D2160EB709A858F25
                Function 00907CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00908202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0090821E
                  • Part of subcall function 00908202: GetLastError.KERNEL32(?,00907CE2,?,?,?), ref: 00908228
                  • Part of subcall function 00908202: GetProcessHeap.KERNEL32(00000008,?,?,00907CE2,?,?,?), ref: 00908237
                  • Part of subcall function 00908202: HeapAlloc.KERNEL32(00000000,?,00907CE2,?,?,?), ref: 0090823E
                  • Part of subcall function 00908202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00908255
                  • Part of subcall function 0090829F: GetProcessHeap.KERNEL32(00000008,00907CF8,00000000,00000000,?,00907CF8,?), ref: 009082AB
                  • Part of subcall function 0090829F: HeapAlloc.KERNEL32(00000000,?,00907CF8,?), ref: 009082B2
                  • Part of subcall function 0090829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00907CF8,?), ref: 009082C3
                • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00907D13
                • _memset.LIBCMT ref: 00907D28
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00907D47
                • GetLengthSid.ADVAPI32(?), ref: 00907D58
                • GetAce.ADVAPI32(?,00000000,?), ref: 00907D95
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00907DB1
                • GetLengthSid.ADVAPI32(?), ref: 00907DCE
                • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00907DDD
                • HeapAlloc.KERNEL32(00000000), ref: 00907DE4
                • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00907E05
                • CopySid.ADVAPI32(00000000), ref: 00907E0C
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00907E3D
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00907E63
                • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00907E77
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                • String ID:
                • API String ID: 3996160137-0
                • Opcode ID: 38e568bad7bf434a56cf7a95d677eae8603090345189b1739ee3d3a47e02c29c
                • Instruction ID: b93e5f71622d52b6abc1d60f64380b1d3d7adf7677b001dfcc3963b83bd58e50
                • Opcode Fuzzy Hash: 38e568bad7bf434a56cf7a95d677eae8603090345189b1739ee3d3a47e02c29c
                • Instruction Fuzzy Hash: F9613B71D08209AFDF049FA4DC85AAEBB79FF04710F048169E915E62A1DB31AA15DF60
                Function 008C66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                • API String ID: 0-4052911093
                • Opcode ID: 204a806104a75d3e7583b0179d02f8c6169f6afa7781c81050aa82229da72bfa
                • Instruction ID: ef4f95d16a5597f528b5327fffdc00a682631dc061d0797658295b64c611b0fd
                • Opcode Fuzzy Hash: 204a806104a75d3e7583b0179d02f8c6169f6afa7781c81050aa82229da72bfa
                • Instruction Fuzzy Hash: 6B723D75E00219DFDB24CF59D890BAEB7F5FF48710F14816AE849EB291E7349981CB90
                Function 0091001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?), ref: 00910097
                • SetKeyboardState.USER32(?), ref: 00910102
                • GetAsyncKeyState.USER32(000000A0), ref: 00910122
                • GetKeyState.USER32(000000A0), ref: 00910139
                • GetAsyncKeyState.USER32(000000A1), ref: 00910168
                • GetKeyState.USER32(000000A1), ref: 00910179
                • GetAsyncKeyState.USER32(00000011), ref: 009101A5
                • GetKeyState.USER32(00000011), ref: 009101B3
                • GetAsyncKeyState.USER32(00000012), ref: 009101DC
                • GetKeyState.USER32(00000012), ref: 009101EA
                • GetAsyncKeyState.USER32(0000005B), ref: 00910213
                • GetKeyState.USER32(0000005B), ref: 00910221
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: cce0b11d84242200f90c83e5c36e5b0b4c2bae3a7e6241d34b08391b064bbddd
                • Instruction ID: 897d064162cc8df24cd3d0d2d6b32314f3dbc1c30b7da41eaccae7e0ae7ddc96
                • Opcode Fuzzy Hash: cce0b11d84242200f90c83e5c36e5b0b4c2bae3a7e6241d34b08391b064bbddd
                • Instruction Fuzzy Hash: C551DC20B0878C69FB35DBA088557EABFB89F81380F08459A95C2575C2DAE59BCCC761
                Function 009303DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00930E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092FDAD,?,?), ref: 00930E31
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009304AC
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0093054B
                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009305E3
                • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00930822
                • RegCloseKey.ADVAPI32(00000000), ref: 0093082F
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                • String ID:
                • API String ID: 1240663315-0
                • Opcode ID: 4b4a5b4a632ccf925c9dccf1576f16c4ce51d614397b76ff423ca97a34021b6e
                • Instruction ID: b51db61e274cb928712f7a0efbc285b50112ee2d347ab95051859498a999c8ae
                • Opcode Fuzzy Hash: 4b4a5b4a632ccf925c9dccf1576f16c4ce51d614397b76ff423ca97a34021b6e
                • Instruction Fuzzy Hash: ABE13C31604214AFCB14DF28C895E6ABBE9FF89314F04896DF94ADB261D631ED01CF92
                Function 00924164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                • String ID:
                • API String ID: 1737998785-0
                • Opcode ID: 6fee9ad867dbb71ba32df0303a715db0ee3569d6e0fdf7dcb270071109e195c3
                • Instruction ID: 51d7922751029c44ad1fa9430a298db3dff62f05689f5b11452cdfe58f070707
                • Opcode Fuzzy Hash: 6fee9ad867dbb71ba32df0303a715db0ee3569d6e0fdf7dcb270071109e195c3
                • Instruction Fuzzy Hash: B6219F35604214DFDB10AF24EC1AB6A7BA8FF55710F10802AF956DB2B2DB74AC40DF95
                Function 009137EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008B4743,?,?,008B37AE,?), ref: 008B4770
                  • Part of subcall function 00914A31: GetFileAttributesW.KERNEL32(?,0091370B), ref: 00914A32
                • FindFirstFileW.KERNEL32(?,?), ref: 009138A3
                • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0091394B
                • MoveFileW.KERNEL32(?,?), ref: 0091395E
                • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0091397B
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0091399D
                • FindClose.KERNEL32(00000000,?,?,?,?), ref: 009139B9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                • String ID: \*.*
                • API String ID: 4002782344-1173974218
                • Opcode ID: 670d788d76bc0a8a417153092f942334a2c52c8c3157e938cc0ad16057606e9d
                • Instruction ID: a2f471f17cabc81bcf968407d7be8f4178ed8f1e425016d8fab5bc6c2c690629
                • Opcode Fuzzy Hash: 670d788d76bc0a8a417153092f942334a2c52c8c3157e938cc0ad16057606e9d
                • Instruction Fuzzy Hash: C7518D3190514CEACF05EBA4DA929EDBB78AF54300F644069E406B72A1EF216F49CB62
                Function 0091F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0091F440
                • Sleep.KERNEL32(0000000A), ref: 0091F470
                • _wcscmp.LIBCMT ref: 0091F484
                • _wcscmp.LIBCMT ref: 0091F49F
                • FindNextFileW.KERNEL32(?,?), ref: 0091F53D
                • FindClose.KERNEL32(00000000), ref: 0091F553
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                • String ID: *.*
                • API String ID: 713712311-438819550
                • Opcode ID: 9abdf977fbf5bd3f2d62cc83a0b2bdbb206b28d762d485d70a51c38e90fae730
                • Instruction ID: 4ea9bc8e65f042bcc365324e9e2cb7d943ade2d6ff06236c5f2724d1b623d0c2
                • Opcode Fuzzy Hash: 9abdf977fbf5bd3f2d62cc83a0b2bdbb206b28d762d485d70a51c38e90fae730
                • Instruction Fuzzy Hash: 7A416D71A0420E9FCF14DF68DC69AEEBBB8FF04310F144566F815A22A1EB309A85CF51
                Function 008C5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memmove
                • String ID:
                • API String ID: 4104443479-0
                • Opcode ID: 216aede4f8c42f0ce78c6d5c9a93604a8196346efc5d629748b94c3cfcf8907d
                • Instruction ID: bebe5d6e490409e830da2a250c2e9b517ffb336ccd12b48d86a0d05673c840fb
                • Opcode Fuzzy Hash: 216aede4f8c42f0ce78c6d5c9a93604a8196346efc5d629748b94c3cfcf8907d
                • Instruction Fuzzy Hash: 0E126B70A00609DFDF04DFA9D981BEEB7B5FF88300F104669E846E7290EB36A955CB51
                Function 00913B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008B4743,?,?,008B37AE,?), ref: 008B4770
                  • Part of subcall function 00914A31: GetFileAttributesW.KERNEL32(?,0091370B), ref: 00914A32
                • FindFirstFileW.KERNEL32(?,?), ref: 00913B89
                • DeleteFileW.KERNEL32(?,?,?,?), ref: 00913BD9
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00913BEA
                • FindClose.KERNEL32(00000000), ref: 00913C01
                • FindClose.KERNEL32(00000000), ref: 00913C0A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                • String ID: \*.*
                • API String ID: 2649000838-1173974218
                • Opcode ID: c05df8ac4079d15686dee5369b589d1924c39240cbcc666e7271dc3364e534f7
                • Instruction ID: fcee67cfbf80efd167958c73a8f0bd6244e7e555d32848f9f87a01623847d725
                • Opcode Fuzzy Hash: c05df8ac4079d15686dee5369b589d1924c39240cbcc666e7271dc3364e534f7
                • Instruction Fuzzy Hash: 57316F3100C3859BC601EB28D8918EFBBBCBE95314F444D2DF4D5922A1EB21DA09DB93
                Function 009151BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 009087E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0090882B
                  • Part of subcall function 009087E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00908858
                  • Part of subcall function 009087E1: GetLastError.KERNEL32 ref: 00908865
                • ExitWindowsEx.USER32(?,00000000), ref: 009151F9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                • String ID: $@$SeShutdownPrivilege
                • API String ID: 2234035333-194228
                • Opcode ID: 5c5f212fbfc12ca7f58c33672a8cc762d26317235100ff67cda46306b12ce158
                • Instruction ID: 6118c44ab97f1a3d5dae74ea6eb0542cf548217344edd00387bd11126c8a032b
                • Opcode Fuzzy Hash: 5c5f212fbfc12ca7f58c33672a8cc762d26317235100ff67cda46306b12ce158
                • Instruction Fuzzy Hash: F601FC327A5619EBE76852689C9AFF7725CDB89750F230C20F963D20D1DA715C808590
                Function 00926283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009262DC
                • WSAGetLastError.WSOCK32(00000000), ref: 009262EB
                • bind.WSOCK32(00000000,?,00000010), ref: 00926307
                • listen.WSOCK32(00000000,00000005), ref: 00926316
                • WSAGetLastError.WSOCK32(00000000), ref: 00926330
                • closesocket.WSOCK32(00000000,00000000), ref: 00926344
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorLast$bindclosesocketlistensocket
                • String ID:
                • API String ID: 1279440585-0
                • Opcode ID: cdb2c6a5f9c8070154a47f4e6d4a7916b84f1219136ad710491d3251514cc15b
                • Instruction ID: 81f3a2a81ba4e259a937fc478fd3c88fb4cfdb5b9d3c265a81697e7ce677f3d7
                • Opcode Fuzzy Hash: cdb2c6a5f9c8070154a47f4e6d4a7916b84f1219136ad710491d3251514cc15b
                • Instruction Fuzzy Hash: 6021CC31600210AFCB10EF68D845B6EB7B9EF49720F148168F956E73E1CB70AC05DB51
                Function 008C5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008D0DB6: std::exception::exception.LIBCMT ref: 008D0DEC
                  • Part of subcall function 008D0DB6: __CxxThrowException@8.LIBCMT ref: 008D0E01
                • _memmove.LIBCMT ref: 00900258
                • _memmove.LIBCMT ref: 0090036D
                • _memmove.LIBCMT ref: 00900414
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memmove$Exception@8Throwstd::exception::exception
                • String ID:
                • API String ID: 1300846289-0
                • Opcode ID: ff6ca4548e1b897ce50c193e0e1391aaad859bd5757b0c2c3c04246b54bb7fca
                • Instruction ID: c510dc68a89114123497162aba9107b0d7fb958270fd5088e170c53c29b38154
                • Opcode Fuzzy Hash: ff6ca4548e1b897ce50c193e0e1391aaad859bd5757b0c2c3c04246b54bb7fca
                • Instruction Fuzzy Hash: FA026C70A00209DFCF04DF68D981AAEBBB5FF84300F558069E80ADB395EB35E955DB91
                Function 008B1287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B2612: GetWindowLongW.USER32(?,000000EB), ref: 008B2623
                • DefDlgProcW.USER32(?,?,?,?,?), ref: 008B19FA
                • GetSysColor.USER32(0000000F), ref: 008B1A4E
                • SetBkColor.GDI32(?,00000000), ref: 008B1A61
                  • Part of subcall function 008B1290: DefDlgProcW.USER32(?,00000020,?), ref: 008B12D8
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ColorProc$LongWindow
                • String ID:
                • API String ID: 3744519093-0
                • Opcode ID: 3bbf80b79956b4cfc92c0c54cb565d645f448b9bf5934ac77e00e19c3ceaf91b
                • Instruction ID: c3dc6721657a307121f4136201857ce38c0e75a57708157a51b38c1d5cce646f
                • Opcode Fuzzy Hash: 3bbf80b79956b4cfc92c0c54cb565d645f448b9bf5934ac77e00e19c3ceaf91b
                • Instruction Fuzzy Hash: A1A15D711165A8BAEE28AB294C7CEFF399DFB43745F940119F502DD3A2DB10AD0097B2
                Function 0091BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 0091BCE6
                • _wcscmp.LIBCMT ref: 0091BD16
                • _wcscmp.LIBCMT ref: 0091BD2B
                • FindNextFileW.KERNEL32(00000000,?), ref: 0091BD3C
                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0091BD6C
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Find$File_wcscmp$CloseFirstNext
                • String ID:
                • API String ID: 2387731787-0
                • Opcode ID: 3d246616d6bf1f5b4180209c9505571e784f1a85a96c53d5f5ea0423a860e744
                • Instruction ID: 7e34f079a32792e42e9320c58f90749b27e354ccf9e8ca9c3fe1feccdb1ae3d3
                • Opcode Fuzzy Hash: 3d246616d6bf1f5b4180209c9505571e784f1a85a96c53d5f5ea0423a860e744
                • Instruction Fuzzy Hash: 645158796046069FC718DF28D490ADAB3E9FF49324F104629E95AC73A1DB30AD44CB92
                Function 00926747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00927D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00927DB6
                • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0092679E
                • WSAGetLastError.WSOCK32(00000000), ref: 009267C7
                • bind.WSOCK32(00000000,?,00000010), ref: 00926800
                • WSAGetLastError.WSOCK32(00000000), ref: 0092680D
                • closesocket.WSOCK32(00000000,00000000), ref: 00926821
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorLast$bindclosesocketinet_addrsocket
                • String ID:
                • API String ID: 99427753-0
                • Opcode ID: 5065668b7e98f816bf8a24a5d5e822726b3561a41bad6e69f5195c77a37d695a
                • Instruction ID: 991e89524d8dc3dc53dea828751e0c04a4a8617a1dac59a801d52e1ed4c66ff0
                • Opcode Fuzzy Hash: 5065668b7e98f816bf8a24a5d5e822726b3561a41bad6e69f5195c77a37d695a
                • Instruction Fuzzy Hash: F541CA75A40210AFDB50BF689C86F6E77A8EF45714F044468FA59EB3D2CA709D008792
                Function 00935376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                • String ID:
                • API String ID: 292994002-0
                • Opcode ID: 0d672006749f19286d294629361f35c8f7f4ce63ac5fba408358f823864a3a8c
                • Instruction ID: 8a6700c7e5d608781187742a4f219b230f71bea0a6530da63a92601ef2aaf05b
                • Opcode Fuzzy Hash: 0d672006749f19286d294629361f35c8f7f4ce63ac5fba408358f823864a3a8c
                • Instruction Fuzzy Hash: 971108317009119FD7206F26DC44A6E7B9CFF493A1F024438F845D3251CBB0DD018E91
                Function 009080A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                Download Yara Rule
                APIs
                • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009080C0
                • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009080CA
                • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009080D9
                • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009080E0
                • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009080F6
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: HeapInformationToken$AllocErrorLastProcess
                • String ID:
                • API String ID: 44706859-0
                • Opcode ID: 33637cdbd54295c524cc3fa560a0a00b8b3a598e8daf60452663d02dba4bdde0
                • Instruction ID: 7bb704dd790bab6f5c2337d9da214e30376ee5a3950e867e3b913f71edce85f8
                • Opcode Fuzzy Hash: 33637cdbd54295c524cc3fa560a0a00b8b3a598e8daf60452663d02dba4bdde0
                • Instruction Fuzzy Hash: A4F0623176C204AFEB100FA5EC9DE673BACEF49755B000025F985C62A0CBA1DC45EE60
                Function 0091C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32(00000000), ref: 0091C432
                • CoCreateInstance.OLE32(00942D6C,00000000,00000001,00942BDC,?), ref: 0091C44A
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                • CoUninitialize.OLE32 ref: 0091C6B7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CreateInitializeInstanceUninitialize_memmove
                • String ID: .lnk
                • API String ID: 2683427295-24824748
                • Opcode ID: 074fc9bdcb36f2593637f86d83dcd406b08381ec3e09d730f9c50179f2d0315e
                • Instruction ID: b96092f6a3f59274fd41d399922be1665f316e404f26e91d3d624cfdeb7f0404
                • Opcode Fuzzy Hash: 074fc9bdcb36f2593637f86d83dcd406b08381ec3e09d730f9c50179f2d0315e
                • Instruction Fuzzy Hash: DCA11971208205AFD700EF58C891EABB7A8FF95354F044928F195D72A2DB71EA49CB62
                Function 008B4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,008B4AD0), ref: 008B4B45
                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008B4B57
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetNativeSystemInfo$kernel32.dll
                • API String ID: 2574300362-192647395
                • Opcode ID: 7cac9332add557d2980aa9bc679ff8895874f5d1d14cd2a9a99ae6344b5bf7bc
                • Instruction ID: f35d02a65f6cbb18901a228f7d673a3eeb80bc7dbee1d557bf7a4f178d883be3
                • Opcode Fuzzy Hash: 7cac9332add557d2980aa9bc679ff8895874f5d1d14cd2a9a99ae6344b5bf7bc
                • Instruction Fuzzy Hash: CCD01275E14713CFDB209FB2E839B46B6E4EF45355F1188399485D6260D770D480CE54
                Function 008C3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __itow__swprintf
                • String ID:
                • API String ID: 674341424-0
                • Opcode ID: 8ee3db9465a72c8d70b452024044b8fd5ef80133286f6a01762580d3f3d4e7f4
                • Instruction ID: 9593106ad7c62e97e23a17d028473b0eefa1521df65cfefd7109999bbe270e2e
                • Opcode Fuzzy Hash: 8ee3db9465a72c8d70b452024044b8fd5ef80133286f6a01762580d3f3d4e7f4
                • Instruction Fuzzy Hash: 202257716083059FC724DF28C881BAAB7F4FB85314F148A2DF59AD7291EB71E905CB92
                Function 0092EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 0092EE3D
                • Process32FirstW.KERNEL32(00000000,?), ref: 0092EE4B
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                • Process32NextW.KERNEL32(00000000,?), ref: 0092EF0B
                • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0092EF1A
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                • String ID:
                • API String ID: 2576544623-0
                • Opcode ID: 891408c48854862a7fda5a88fbcff0a14973142045752923d323f4df874f62ef
                • Instruction ID: 39927441b156edce45fc665a07d308767b03a0cd087ddb4d130f69bbc5bfdc03
                • Opcode Fuzzy Hash: 891408c48854862a7fda5a88fbcff0a14973142045752923d323f4df874f62ef
                • Instruction Fuzzy Hash: 3A516E71508711AFD310EF24D881EABBBE8FF94710F54492DF595D72A1EB70A908CB92
                Function 008BFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: BuffCharUpper
                • String ID:
                • API String ID: 3964851224-0
                • Opcode ID: 97ee59812e337b381f01b440542136be0a549407477e726b570215412a5d44a4
                • Instruction ID: 5596b99b5456d4231cf388803557f449b282ab15c1a22f3bbf050f1d74c32fd4
                • Opcode Fuzzy Hash: 97ee59812e337b381f01b440542136be0a549407477e726b570215412a5d44a4
                • Instruction Fuzzy Hash: 6A923570608345CFD720DF28C480B6ABBE5FB85344F14896EE99ADB362D771E845CB92
                Function 0090E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                Download Yara Rule
                APIs
                • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0090E628
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: lstrlen
                • String ID: ($|
                • API String ID: 1659193697-1631851259
                • Opcode ID: 6aaaf57a3672ab99531338709983cf757031da7f5f5861ca78c64f8e70965cad
                • Instruction ID: 5f8384e2576416618c98f1d47ae5a0679a7b9ff5ffdf4a08dcb60578519fb1c8
                • Opcode Fuzzy Hash: 6aaaf57a3672ab99531338709983cf757031da7f5f5861ca78c64f8e70965cad
                • Instruction Fuzzy Hash: 8E322575A007059FDB28CF19D481A6AB7F1FF48320B15C96EE89ADB3A1E770E941CB44
                Function 009222EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                Download Yara Rule
                APIs
                • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0092180A,00000000), ref: 009223E1
                • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00922418
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Internet$AvailableDataFileQueryRead
                • String ID:
                • API String ID: 599397726-0
                • Opcode ID: 587bf7a8c79c11b404c9cbb73ad28eff90ada20e8243a1893e450cfde1b4221d
                • Instruction ID: 5bbebeecdb7aee06e02959f1e44669fbbda2f85ce4c4733fb74175f3433b1c75
                • Opcode Fuzzy Hash: 587bf7a8c79c11b404c9cbb73ad28eff90ada20e8243a1893e450cfde1b4221d
                • Instruction Fuzzy Hash: 8141F571904219BFEB20DF95EC81FBFB7BCEB40714F10442AF601A6254EA759E41AA60
                Function 0091B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0091B40B
                • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0091B465
                • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0091B4B2
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorMode$DiskFreeSpace
                • String ID:
                • API String ID: 1682464887-0
                • Opcode ID: dea6ae1b41b949566421ab6c62ab9d3e632c40022567f8a314b4946988ba47c8
                • Instruction ID: 6653ea93e6d1b34eb9cb42430da2d8f4a6e325f656192399b48a949270c0eb18
                • Opcode Fuzzy Hash: dea6ae1b41b949566421ab6c62ab9d3e632c40022567f8a314b4946988ba47c8
                • Instruction Fuzzy Hash: 73215C35A10108EFCB00EFA5E880AEEBBB8FF49310F1480A9E905EB361CB319955DB51
                Function 009087E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008D0DB6: std::exception::exception.LIBCMT ref: 008D0DEC
                  • Part of subcall function 008D0DB6: __CxxThrowException@8.LIBCMT ref: 008D0E01
                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0090882B
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00908858
                • GetLastError.KERNEL32 ref: 00908865
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                • String ID:
                • API String ID: 1922334811-0
                • Opcode ID: dbf60d9a3f5f81a18995c04f60a56c81175b49d2ff531f147a5f8ee1e85e8967
                • Instruction ID: 23fe5da253f888fdc6da2f7911507fbb10be1a2f0fb545df201226e3a7396276
                • Opcode Fuzzy Hash: dbf60d9a3f5f81a18995c04f60a56c81175b49d2ff531f147a5f8ee1e85e8967
                • Instruction Fuzzy Hash: BE113DB2914205AFE718DFA8DC85D6BB7BDFB44710B20862EE89597251EA70AC418F60
                Function 0090874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                Download Yara Rule
                APIs
                • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00908774
                • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0090878B
                • FreeSid.ADVAPI32(?), ref: 0090879B
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AllocateCheckFreeInitializeMembershipToken
                • String ID:
                • API String ID: 3429775523-0
                • Opcode ID: 286e0c619ec1b2a692effadfae15af8672bcfeffe52d51ec2181207dbe709106
                • Instruction ID: bd485795e7443c9c9e4bb9eec13608dc4234116dd7649868e1a1424ba37f5c0b
                • Opcode Fuzzy Hash: 286e0c619ec1b2a692effadfae15af8672bcfeffe52d51ec2181207dbe709106
                • Instruction Fuzzy Hash: FEF04975E1530CBFDF04DFF4DD99AAEBBBCEF08301F1044A9A905E2181E6716A049B50
                Function 0091C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 0091C6FB
                • FindClose.KERNEL32(00000000), ref: 0091C72B
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: 796c8832426926ed74a31525d830c805fa5684d2962e090660efec6fff705625
                • Instruction ID: 78b96c726f7dd36c8cc95154bdb7e304843cbff5e0665532e6b4fb3d945f251b
                • Opcode Fuzzy Hash: 796c8832426926ed74a31525d830c805fa5684d2962e090660efec6fff705625
                • Instruction Fuzzy Hash: 9D118E726042049FDB10EF29D845A6AF7E8FF85320F00852DF9A9C73A0DB70A805CF81
                Function 0091A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00929468,?,0093FB84,?), ref: 0091A097
                • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00929468,?,0093FB84,?), ref: 0091A0A9
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorFormatLastMessage
                • String ID:
                • API String ID: 3479602957-0
                • Opcode ID: 8eb20f8bad9d30adf7732a7bc17b31973e063ca5cba38bd54eea993dcf5a87d0
                • Instruction ID: 57e1a9c3e4ce4db72d60b45d794590979fc9a11b5bd265e68d7f8eedad6036be
                • Opcode Fuzzy Hash: 8eb20f8bad9d30adf7732a7bc17b31973e063ca5cba38bd54eea993dcf5a87d0
                • Instruction Fuzzy Hash: EDF0823561522DABDB21AFA4CC88FEA776CFF09361F004165F919D6191D6709940CBA2
                Function 009081CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00908309), ref: 009081E0
                • CloseHandle.KERNEL32(?,?,00908309), ref: 009081F2
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AdjustCloseHandlePrivilegesToken
                • String ID:
                • API String ID: 81990902-0
                • Opcode ID: 202b008c5aa58696e6b5a77cf73c3d94fe2347cd516118970744992470cd7cfd
                • Instruction ID: 4d7993523503a8969e5e28d7d0dd638ebee62d87c5d52c7bcd915e3b574ce915
                • Opcode Fuzzy Hash: 202b008c5aa58696e6b5a77cf73c3d94fe2347cd516118970744992470cd7cfd
                • Instruction Fuzzy Hash: 32E0B672014610AEE7252B74EC09E777BAAEF04350B14892AB8A6C4470DB62AC91EF10
                Function 008DA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,008D8D57,?,?,?,00000001), ref: 008DA15A
                • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008DA163
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 2fd3363ccb8e2ae7aaad7081179f92682b084c1c13e7dc027306e5c1fa91d0c8
                • Instruction ID: 76b0fa7dead91477529fed97b2c68d56cd1a9545209b098bea7937fc924abb7e
                • Opcode Fuzzy Hash: 2fd3363ccb8e2ae7aaad7081179f92682b084c1c13e7dc027306e5c1fa91d0c8
                • Instruction Fuzzy Hash: 60B09231468208ABCA002B91EC19B8A3F6AEB45BE2F404020F60D85060CB625450AE91
                Function 008DF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9bb1d37227ae61e9797f31c2e23993625bdb0a6db57177272a9a437bdeee26d2
                • Instruction ID: 0bd3c8b3fb39e13a04310df8b303f18973cf5ab2244caa445be1e5b47bdc48f1
                • Opcode Fuzzy Hash: 9bb1d37227ae61e9797f31c2e23993625bdb0a6db57177272a9a437bdeee26d2
                • Instruction Fuzzy Hash: 9132F125D29F454DD7239634D832336A789EFB73C4F15D737E81AB5AA6EB28C4836100
                Function 008E242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 13caa07290576f8e8e48589c4cbeae4ca0812a33b3e9f78b38d8aeb4eb14b0ca
                • Instruction ID: ae4b42617c21db83d876b4451fea3e637f2c18832e40a6fab011687978180223
                • Opcode Fuzzy Hash: 13caa07290576f8e8e48589c4cbeae4ca0812a33b3e9f78b38d8aeb4eb14b0ca
                • Instruction Fuzzy Hash: 3EB1DE24E7AF514DD2239A398831336BA5CAFBB2D5F51D71BFC2670D22FB2185835241
                Function 00918889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • __time64.LIBCMT ref: 0091889B
                  • Part of subcall function 008D520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00918F6E,00000000,?,?,?,?,0091911F,00000000,?), ref: 008D5213
                  • Part of subcall function 008D520A: __aulldiv.LIBCMT ref: 008D5233
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Time$FileSystem__aulldiv__time64
                • String ID:
                • API String ID: 2893107130-0
                • Opcode ID: fe72b4e2052aeaea90cb73546f5519b36ec9c92a3ca65dc8e5dd2a23dd48b7e1
                • Instruction ID: a2f43b058adfaeb856b02b2794b661eb46a794df5f27e879d96f9d7dc3fd154f
                • Opcode Fuzzy Hash: fe72b4e2052aeaea90cb73546f5519b36ec9c92a3ca65dc8e5dd2a23dd48b7e1
                • Instruction Fuzzy Hash: 3821A5336355108BC729CF29D441A92B3E5EFA5311B688E6CE0F9CB2C0CA34A945EB54
                Function 00914C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                Download Yara Rule
                APIs
                • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00914C4A
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: mouse_event
                • String ID:
                • API String ID: 2434400541-0
                • Opcode ID: 3b188ca76ee017f9ac6f6bf84ef8dd054c9be43cfc65179d66989db21f6cb71f
                • Instruction ID: a41b032a4f28dbf03be9e69bf1dc59e814d9b28104011890804706e3e57c1cd7
                • Opcode Fuzzy Hash: 3b188ca76ee017f9ac6f6bf84ef8dd054c9be43cfc65179d66989db21f6cb71f
                • Instruction Fuzzy Hash: C9D05EA136920D38EC1C07209E1FFFB010DE348792FD8854971818A0C1EC849CC064B0
                Function 009087B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00908389), ref: 009087D1
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: LogonUser
                • String ID:
                • API String ID: 1244722697-0
                • Opcode ID: d8d4fa95bd96ee0416ab3406be2638d9a1a4d49b27fa8640f538f44c11d0b8df
                • Instruction ID: 51efb7a8eded0374e187ed4752f67c162166eaee1f1aab450673219a68116737
                • Opcode Fuzzy Hash: d8d4fa95bd96ee0416ab3406be2638d9a1a4d49b27fa8640f538f44c11d0b8df
                • Instruction Fuzzy Hash: C6D09E3226450EABEF019EA8DD05EAE3B69EB04B01F408511FE15D51A1C775D935AF60
                Function 008DA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(?), ref: 008DA12A
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: d326b04dd0b662789ab3575609df2cbb6e2332baab35f088a35d52763eb95090
                • Instruction ID: 16e99c5332e76ee8e39bfcdcc16ae9e3b3ba9bef5a2101ae34184d4d6be9af2e
                • Opcode Fuzzy Hash: d326b04dd0b662789ab3575609df2cbb6e2332baab35f088a35d52763eb95090
                • Instruction Fuzzy Hash: 97A0123001410CA78A001B41EC044457F5DD6012D07004020F40C41021873254105980
                Function 008C8808 Relevance: .6, Instructions: 590COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fcc0a8d9615a4939425579e103b65fc8dabdaad6861b20a2594cdeff12e10c23
                • Instruction ID: 27b5546f3693239d1e11ab7cf0a30eabce6e23f1ca2cbac1c649256dcf52a7ef
                • Opcode Fuzzy Hash: fcc0a8d9615a4939425579e103b65fc8dabdaad6861b20a2594cdeff12e10c23
                • Instruction Fuzzy Hash: 86223230A48526CFDF288A28C494B7DBBB1FF01304F2A846ED956CB5D2DB74DC91CA42
                Function 008D21C5 Relevance: .3, Instructions: 345COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction ID: b1692401f54689ffa1d6847fb5d0e6310143a58d1750d441b24f58c3905fc131
                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction Fuzzy Hash: 53C152322051930ADF6D4639847453EFBA2BEA27B131A175FD8B2CB2D4EF20D965D720
                Function 008D25FA Relevance: .3, Instructions: 341COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction ID: 00e112cabb493c53b5b671012f3cd1c1d74617b8a2c46dd4dcbfda6ee0c8fa84
                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction Fuzzy Hash: FFC132322051930ADF6D463A847453EBBA1BEB27B131A176FD4B2DB2D5EF20C925D720
                Function 008D1D90 Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction ID: efb1715eb62611c4d6d0b953c8bc20572544958ed82da66f7a9e47ac28978350
                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction Fuzzy Hash: A2C174322051931ADF2D463A847843EBBA1FEA27B131A076FD4B2DB2D5EF10D965D720
                Function 008D1978 Relevance: .3, Instructions: 323COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction ID: c4ce56d6a467d84604d72111e48d5c180c1d4de8fb0d97a370f5e4765c949485
                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction Fuzzy Hash: FEC1623220519319DF6D4639847813EBBA2EEA27B131A176FD4B2CB2D5EF20C965D720
                Function 00927806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 0092785B
                • DeleteObject.GDI32(00000000), ref: 0092786D
                • DestroyWindow.USER32 ref: 0092787B
                • GetDesktopWindow.USER32 ref: 00927895
                • GetWindowRect.USER32(00000000), ref: 0092789C
                • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009279DD
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009279ED
                • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00927A35
                • GetClientRect.USER32(00000000,?), ref: 00927A41
                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00927A7B
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00927A9D
                • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00927AB0
                • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00927ABB
                • GlobalLock.KERNEL32(00000000), ref: 00927AC4
                • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00927AD3
                • GlobalUnlock.KERNEL32(00000000), ref: 00927ADC
                • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00927AE3
                • GlobalFree.KERNEL32(00000000), ref: 00927AEE
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00927B00
                • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00942CAC,00000000), ref: 00927B16
                • GlobalFree.KERNEL32(00000000), ref: 00927B26
                • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00927B4C
                • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00927B6B
                • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00927B8D
                • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00927D7A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                • String ID: $AutoIt v3$DISPLAY$static
                • API String ID: 2211948467-2373415609
                • Opcode ID: cb0c17f90cde771a825061384979fccf78e450c82823e8af97aa08f76389abfa
                • Instruction ID: 1f2f0cf8068b13a2b60fd503d091776600147fd5b50adeed89ff6e30aa32dff5
                • Opcode Fuzzy Hash: cb0c17f90cde771a825061384979fccf78e450c82823e8af97aa08f76389abfa
                • Instruction Fuzzy Hash: 9D028A71914219EFDB14DFA8DC99EAEBBB9FB48310F008158F915AB2A1C770AD41DF60
                Function 0093356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?,0093F910), ref: 00933627
                • IsWindowVisible.USER32(?), ref: 0093364B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: BuffCharUpperVisibleWindow
                • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                • API String ID: 4105515805-45149045
                • Opcode ID: 8523b04c28086feab2f3b71d7735dc6650f197bd651240c7e59dc661412d8f4b
                • Instruction ID: 77ce06d7e768c4e0d1a01654fc2991f367ca845c5a2e4d1cdf0d8a6f2f529a1e
                • Opcode Fuzzy Hash: 8523b04c28086feab2f3b71d7735dc6650f197bd651240c7e59dc661412d8f4b
                • Instruction Fuzzy Hash: C5D14B302483019FCA14EF14C456A6E77E9EF95354F148969F8869B3A2DB31EE4ACF42
                Function 0093A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                Download Yara Rule
                APIs
                • SetTextColor.GDI32(?,00000000), ref: 0093A630
                • GetSysColorBrush.USER32(0000000F), ref: 0093A661
                • GetSysColor.USER32(0000000F), ref: 0093A66D
                • SetBkColor.GDI32(?,000000FF), ref: 0093A687
                • SelectObject.GDI32(?,00000000), ref: 0093A696
                • InflateRect.USER32(?,000000FF,000000FF), ref: 0093A6C1
                • GetSysColor.USER32(00000010), ref: 0093A6C9
                • CreateSolidBrush.GDI32(00000000), ref: 0093A6D0
                • FrameRect.USER32(?,?,00000000), ref: 0093A6DF
                • DeleteObject.GDI32(00000000), ref: 0093A6E6
                • InflateRect.USER32(?,000000FE,000000FE), ref: 0093A731
                • FillRect.USER32(?,?,00000000), ref: 0093A763
                • GetWindowLongW.USER32(?,000000F0), ref: 0093A78E
                  • Part of subcall function 0093A8CA: GetSysColor.USER32(00000012), ref: 0093A903
                  • Part of subcall function 0093A8CA: SetTextColor.GDI32(?,?), ref: 0093A907
                  • Part of subcall function 0093A8CA: GetSysColorBrush.USER32(0000000F), ref: 0093A91D
                  • Part of subcall function 0093A8CA: GetSysColor.USER32(0000000F), ref: 0093A928
                  • Part of subcall function 0093A8CA: GetSysColor.USER32(00000011), ref: 0093A945
                  • Part of subcall function 0093A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0093A953
                  • Part of subcall function 0093A8CA: SelectObject.GDI32(?,00000000), ref: 0093A964
                  • Part of subcall function 0093A8CA: SetBkColor.GDI32(?,00000000), ref: 0093A96D
                  • Part of subcall function 0093A8CA: SelectObject.GDI32(?,?), ref: 0093A97A
                  • Part of subcall function 0093A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0093A999
                  • Part of subcall function 0093A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0093A9B0
                  • Part of subcall function 0093A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0093A9C5
                  • Part of subcall function 0093A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0093A9ED
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                • String ID:
                • API String ID: 3521893082-0
                • Opcode ID: 37ea734b60b288027e14072a3d8fc41253ec6a0c07cbd73bcc48fb21dc3e043f
                • Instruction ID: 652356b70acc3f423046228d22b1c159f2535550be310b2a45b3b65f6db778fc
                • Opcode Fuzzy Hash: 37ea734b60b288027e14072a3d8fc41253ec6a0c07cbd73bcc48fb21dc3e043f
                • Instruction Fuzzy Hash: 78917972818301FFCB109F64DC48A6BBBA9FF89325F100B29F9A2961A0D775D944DF52
                Function 008B2C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?,?), ref: 008B2CA2
                • DeleteObject.GDI32(00000000), ref: 008B2CE8
                • DeleteObject.GDI32(00000000), ref: 008B2CF3
                • DestroyIcon.USER32(00000000,?,?,?), ref: 008B2CFE
                • DestroyWindow.USER32(00000000,?,?,?), ref: 008B2D09
                • SendMessageW.USER32(?,00001308,?,00000000), ref: 008EC43B
                • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008EC474
                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008EC89D
                  • Part of subcall function 008B1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008B2036,?,00000000,?,?,?,?,008B16CB,00000000,?), ref: 008B1B9A
                • SendMessageW.USER32(?,00001053), ref: 008EC8DA
                • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008EC8F1
                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 008EC907
                • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 008EC912
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                • String ID: 0
                • API String ID: 464785882-4108050209
                • Opcode ID: 078ebd097f1652120b1258b22c4a4c5b5f49e4cf65943c5f88a3b922c45d83ff
                • Instruction ID: 41e7d61ee4cb8dbd063de4c272f77b30678c575f891e931bed971439c2cc8fc6
                • Opcode Fuzzy Hash: 078ebd097f1652120b1258b22c4a4c5b5f49e4cf65943c5f88a3b922c45d83ff
                • Instruction Fuzzy Hash: 52128B30A04241EFDB25DF29C894BA9BBE1FF06304F5445A9F895CB262C731E842DF91
                Function 009274AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000), ref: 009274DE
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0092759D
                • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 009275DB
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 009275ED
                • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00927633
                • GetClientRect.USER32(00000000,?), ref: 0092763F
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00927683
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00927692
                • GetStockObject.GDI32(00000011), ref: 009276A2
                • SelectObject.GDI32(00000000,00000000), ref: 009276A6
                • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 009276B6
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009276BF
                • DeleteDC.GDI32(00000000), ref: 009276C8
                • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009276F4
                • SendMessageW.USER32(00000030,00000000,00000001), ref: 0092770B
                • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00927746
                • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0092775A
                • SendMessageW.USER32(00000404,00000001,00000000), ref: 0092776B
                • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0092779B
                • GetStockObject.GDI32(00000011), ref: 009277A6
                • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 009277B1
                • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 009277BB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                • API String ID: 2910397461-517079104
                • Opcode ID: 0930974284a67dd52837d14e70ac81a6934ac7db597a52a4e6779579e3eb3652
                • Instruction ID: bb443bdd0612fd5a2b660121dc42dbece020d558d1062e35f223f4758dd9a67a
                • Opcode Fuzzy Hash: 0930974284a67dd52837d14e70ac81a6934ac7db597a52a4e6779579e3eb3652
                • Instruction Fuzzy Hash: 59A15FB1A54615BFEB14DBA8DC4AFAEBBB9EB04710F004114FA15A72E1C7B0AD00DF64
                Function 0091AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0091AD1E
                • GetDriveTypeW.KERNEL32(?,0093FAC0,?,\\.\,0093F910), ref: 0091ADFB
                • SetErrorMode.KERNEL32(00000000,0093FAC0,?,\\.\,0093F910), ref: 0091AF59
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorMode$DriveType
                • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                • API String ID: 2907320926-4222207086
                • Opcode ID: ad0f4bda3b336aa93de8bb9980dc33661ad208f08561d7b197ed08628ff63007
                • Instruction ID: 82c25cd5b0672bedff1da962805d2fae0cdd151474df8631e0a1269008e2194c
                • Opcode Fuzzy Hash: ad0f4bda3b336aa93de8bb9980dc33661ad208f08561d7b197ed08628ff63007
                • Instruction Fuzzy Hash: 5D51A3B074920DAB8B10DB64C952DFE77A4EB88704B604557E807E73D0DA35DD86EB43
                Function 008B68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __wcsnicmp
                • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                • API String ID: 1038674560-86951937
                • Opcode ID: a4e5c013012dff0cdee450b8f557b88d3306c72382bc4ceb3cc9dfdef592b93f
                • Instruction ID: d0b34d510a6ae7f1859e96f5d6b626ecdbbe9dcb7a5e340e16a2dcdf59cd2126
                • Opcode Fuzzy Hash: a4e5c013012dff0cdee450b8f557b88d3306c72382bc4ceb3cc9dfdef592b93f
                • Instruction Fuzzy Hash: 968126B0640209AACF20BB65EC52FFF7B68FF05704F040125F905EA392FB64DA25D662
                Function 00939A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00939AD2
                • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00939B8B
                • SendMessageW.USER32(?,00001102,00000002,?), ref: 00939BA7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$Window
                • String ID: 0
                • API String ID: 2326795674-4108050209
                • Opcode ID: 23b491212145911e88a0dae16393fa68a44c3f66277bf3116ae3d9d6dc34add7
                • Instruction ID: d51330b3910c503bda44d63bc67a3a365e67cecdb306302d8a5c0bf5e1a3dca2
                • Opcode Fuzzy Hash: 23b491212145911e88a0dae16393fa68a44c3f66277bf3116ae3d9d6dc34add7
                • Instruction Fuzzy Hash: DC02BB31608201AFD725CF24C899BAABBE9FF49314F04892DF999D62A1C7B4DC44DF52
                Function 0093A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000012), ref: 0093A903
                • SetTextColor.GDI32(?,?), ref: 0093A907
                • GetSysColorBrush.USER32(0000000F), ref: 0093A91D
                • GetSysColor.USER32(0000000F), ref: 0093A928
                • CreateSolidBrush.GDI32(?), ref: 0093A92D
                • GetSysColor.USER32(00000011), ref: 0093A945
                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0093A953
                • SelectObject.GDI32(?,00000000), ref: 0093A964
                • SetBkColor.GDI32(?,00000000), ref: 0093A96D
                • SelectObject.GDI32(?,?), ref: 0093A97A
                • InflateRect.USER32(?,000000FF,000000FF), ref: 0093A999
                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0093A9B0
                • GetWindowLongW.USER32(00000000,000000F0), ref: 0093A9C5
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0093A9ED
                • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0093AA14
                • InflateRect.USER32(?,000000FD,000000FD), ref: 0093AA32
                • DrawFocusRect.USER32(?,?), ref: 0093AA3D
                • GetSysColor.USER32(00000011), ref: 0093AA4B
                • SetTextColor.GDI32(?,00000000), ref: 0093AA53
                • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0093AA67
                • SelectObject.GDI32(?,0093A5FA), ref: 0093AA7E
                • DeleteObject.GDI32(?), ref: 0093AA89
                • SelectObject.GDI32(?,?), ref: 0093AA8F
                • DeleteObject.GDI32(?), ref: 0093AA94
                • SetTextColor.GDI32(?,?), ref: 0093AA9A
                • SetBkColor.GDI32(?,?), ref: 0093AAA4
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                • String ID:
                • API String ID: 1996641542-0
                • Opcode ID: 0951eff3c9fd5c3402b30bcf4e24498e90d8163265c39dd601d990991fa4b69c
                • Instruction ID: c835d1f94f0ac967564089acd9e3b2323287db5462069d1fae977cc9176b714b
                • Opcode Fuzzy Hash: 0951eff3c9fd5c3402b30bcf4e24498e90d8163265c39dd601d990991fa4b69c
                • Instruction Fuzzy Hash: D5512A71D14208FFDF119FA4DC49EAEBBB9EB08320F114625F911AB2A1D7759940EF90
                Function 009389D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00938AC1
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00938AD2
                • CharNextW.USER32(0000014E), ref: 00938B01
                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00938B42
                • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00938B58
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00938B69
                • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00938B86
                • SetWindowTextW.USER32(?,0000014E), ref: 00938BD8
                • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00938BEE
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00938C1F
                • _memset.LIBCMT ref: 00938C44
                • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00938C8D
                • _memset.LIBCMT ref: 00938CEC
                • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00938D16
                • SendMessageW.USER32(?,00001074,?,00000001), ref: 00938D6E
                • SendMessageW.USER32(?,0000133D,?,?), ref: 00938E1B
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00938E3D
                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00938E87
                • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00938EB4
                • DrawMenuBar.USER32(?), ref: 00938EC3
                • SetWindowTextW.USER32(?,0000014E), ref: 00938EEB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                • String ID: 0
                • API String ID: 1073566785-4108050209
                • Opcode ID: bf337a20b2b9f8d6b5f04d76456149e0d0c9d6fd093063285d6a4db51a51d0f7
                • Instruction ID: 3c81c4fcab3e1438f55dc35081ac3a58db86ebfa1d9001797ebd61fed20644c2
                • Opcode Fuzzy Hash: bf337a20b2b9f8d6b5f04d76456149e0d0c9d6fd093063285d6a4db51a51d0f7
                • Instruction Fuzzy Hash: 3DE16CB1904319AFDF209F64CC85EEF7BB9EF09714F108156F919AA290DB748A80DF61
                Function 0093488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 009349CA
                • GetDesktopWindow.USER32 ref: 009349DF
                • GetWindowRect.USER32(00000000), ref: 009349E6
                • GetWindowLongW.USER32(?,000000F0), ref: 00934A48
                • DestroyWindow.USER32(?), ref: 00934A74
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00934A9D
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00934ABB
                • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00934AE1
                • SendMessageW.USER32(?,00000421,?,?), ref: 00934AF6
                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00934B09
                • IsWindowVisible.USER32(?), ref: 00934B29
                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00934B44
                • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00934B58
                • GetWindowRect.USER32(?,?), ref: 00934B70
                • MonitorFromPoint.USER32(?,?,00000002), ref: 00934B96
                • GetMonitorInfoW.USER32(00000000,?), ref: 00934BB0
                • CopyRect.USER32(?,?), ref: 00934BC7
                • SendMessageW.USER32(?,00000412,00000000), ref: 00934C32
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                • String ID: ($0$tooltips_class32
                • API String ID: 698492251-4156429822
                • Opcode ID: b0474c477c261762a314345b7a206a7e7d99c77a820b1d40f03cb235c7257d2b
                • Instruction ID: b5b3cf56e825d44ed1344409cdfc7bc3dc825d0ac0035bfa170235f7d3c8e529
                • Opcode Fuzzy Hash: b0474c477c261762a314345b7a206a7e7d99c77a820b1d40f03cb235c7257d2b
                • Instruction Fuzzy Hash: E0B16971608341AFDB04DF68C845B6ABBE8FF88714F018918F5999B2A1D771EC05CF56
                Function 0091449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                Download Yara Rule
                APIs
                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 009144AC
                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 009144D2
                • _wcscpy.LIBCMT ref: 00914500
                • _wcscmp.LIBCMT ref: 0091450B
                • _wcscat.LIBCMT ref: 00914521
                • _wcsstr.LIBCMT ref: 0091452C
                • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00914548
                • _wcscat.LIBCMT ref: 00914591
                • _wcscat.LIBCMT ref: 00914598
                • _wcsncpy.LIBCMT ref: 009145C3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                • API String ID: 699586101-1459072770
                • Opcode ID: 266a267818c1760bd556caf3055e9501a845c853ec9b91ddaaf0f936906eaf81
                • Instruction ID: 88fa78663b1d09ce8d2c9cea22b3c257d60b860951a00debfb9a59426c017dba
                • Opcode Fuzzy Hash: 266a267818c1760bd556caf3055e9501a845c853ec9b91ddaaf0f936906eaf81
                • Instruction Fuzzy Hash: 52410A71A002047BDB10AB78DC07EFF77BCEF45710F00066BF905E6292EB359A019AA6
                Function 008B27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                Download Yara Rule
                APIs
                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008B28BC
                • GetSystemMetrics.USER32(00000007), ref: 008B28C4
                • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008B28EF
                • GetSystemMetrics.USER32(00000008), ref: 008B28F7
                • GetSystemMetrics.USER32(00000004), ref: 008B291C
                • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008B2939
                • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008B2949
                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008B297C
                • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008B2990
                • GetClientRect.USER32(00000000,000000FF), ref: 008B29AE
                • GetStockObject.GDI32(00000011), ref: 008B29CA
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 008B29D5
                  • Part of subcall function 008B2344: GetCursorPos.USER32(?), ref: 008B2357
                  • Part of subcall function 008B2344: ScreenToClient.USER32(009757B0,?), ref: 008B2374
                  • Part of subcall function 008B2344: GetAsyncKeyState.USER32(00000001), ref: 008B2399
                  • Part of subcall function 008B2344: GetAsyncKeyState.USER32(00000002), ref: 008B23A7
                • SetTimer.USER32(00000000,00000000,00000028,008B1256), ref: 008B29FC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                • String ID: AutoIt v3 GUI
                • API String ID: 1458621304-248962490
                • Opcode ID: acfd312664175c25dfd41a1b7099d53ac7c5e332db9da68be1cf7a3d10f89b91
                • Instruction ID: 22d4abbd39067c2920c51a8890bc7db665fb9ebd907a66a9d879f4d4f6809202
                • Opcode Fuzzy Hash: acfd312664175c25dfd41a1b7099d53ac7c5e332db9da68be1cf7a3d10f89b91
                • Instruction Fuzzy Hash: BAB17C71A1020AEFDB14DFA8CC55BEE7BB4FB08315F104129FA19E62A0DB74A841DF51
                Function 0090A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000100), ref: 0090A47A
                • __swprintf.LIBCMT ref: 0090A51B
                • _wcscmp.LIBCMT ref: 0090A52E
                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0090A583
                • _wcscmp.LIBCMT ref: 0090A5BF
                • GetClassNameW.USER32(?,?,00000400), ref: 0090A5F6
                • GetDlgCtrlID.USER32(?), ref: 0090A648
                • GetWindowRect.USER32(?,?), ref: 0090A67E
                • GetParent.USER32(?), ref: 0090A69C
                • ScreenToClient.USER32(00000000), ref: 0090A6A3
                • GetClassNameW.USER32(?,?,00000100), ref: 0090A71D
                • _wcscmp.LIBCMT ref: 0090A731
                • GetWindowTextW.USER32(?,?,00000400), ref: 0090A757
                • _wcscmp.LIBCMT ref: 0090A76B
                  • Part of subcall function 008D362C: _iswctype.LIBCMT ref: 008D3634
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                • String ID: %s%u
                • API String ID: 3744389584-679674701
                • Opcode ID: 7fbf9eedd7e8a68d172752941a99eadd52217adc3d466b13784fd8c2875764ec
                • Instruction ID: cc4865a864a1fc761f89d1e262284341bbe28f7e97bbc2b3d3247ffedeb034d9
                • Opcode Fuzzy Hash: 7fbf9eedd7e8a68d172752941a99eadd52217adc3d466b13784fd8c2875764ec
                • Instruction Fuzzy Hash: 7FA1AD31604706AFDB15DF64C884BAAB7ECFF54354F00862AF999D21A0DB30EA55CBD2
                Function 0090AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(00000008,?,00000400), ref: 0090AF18
                • _wcscmp.LIBCMT ref: 0090AF29
                • GetWindowTextW.USER32(00000001,?,00000400), ref: 0090AF51
                • CharUpperBuffW.USER32(?,00000000), ref: 0090AF6E
                • _wcscmp.LIBCMT ref: 0090AF8C
                • _wcsstr.LIBCMT ref: 0090AF9D
                • GetClassNameW.USER32(00000018,?,00000400), ref: 0090AFD5
                • _wcscmp.LIBCMT ref: 0090AFE5
                • GetWindowTextW.USER32(00000002,?,00000400), ref: 0090B00C
                • GetClassNameW.USER32(00000018,?,00000400), ref: 0090B055
                • _wcscmp.LIBCMT ref: 0090B065
                • GetClassNameW.USER32(00000010,?,00000400), ref: 0090B08D
                • GetWindowRect.USER32(00000004,?), ref: 0090B0F6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                • String ID: @$ThumbnailClass
                • API String ID: 1788623398-1539354611
                • Opcode ID: 5cbfe4429c1cc0e6f9f7f6ef30f1988dfcf72871ec99f40d0c97adb8828ee9d1
                • Instruction ID: 944289c87825d6157750da96522a3efb22a31db7dbf61407ca20587b321325be
                • Opcode Fuzzy Hash: 5cbfe4429c1cc0e6f9f7f6ef30f1988dfcf72871ec99f40d0c97adb8828ee9d1
                • Instruction Fuzzy Hash: AB819D711083069FDB00DF14C891BAA7BECFF84318F04856AED858A1D6DB34DD89CBA2
                Function 0090ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __wcsnicmp
                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                • API String ID: 1038674560-1810252412
                • Opcode ID: e7c4cec8ba63f2002aca4a38e963f69f652a607ef90665b36aca86850e61d483
                • Instruction ID: a896dcd99aba6ba3a142560abe557e83e4fe296ef029168ff93bac7c91e61eb6
                • Opcode Fuzzy Hash: e7c4cec8ba63f2002aca4a38e963f69f652a607ef90665b36aca86850e61d483
                • Instruction Fuzzy Hash: 86318431548315AADA14FAE4DE03EEEB768FF60758F600529F442B11D5EF516F04C693
                Function 00924FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • LoadCursorW.USER32(00000000,00007F8A), ref: 00925013
                • LoadCursorW.USER32(00000000,00007F00), ref: 0092501E
                • LoadCursorW.USER32(00000000,00007F03), ref: 00925029
                • LoadCursorW.USER32(00000000,00007F8B), ref: 00925034
                • LoadCursorW.USER32(00000000,00007F01), ref: 0092503F
                • LoadCursorW.USER32(00000000,00007F81), ref: 0092504A
                • LoadCursorW.USER32(00000000,00007F88), ref: 00925055
                • LoadCursorW.USER32(00000000,00007F80), ref: 00925060
                • LoadCursorW.USER32(00000000,00007F86), ref: 0092506B
                • LoadCursorW.USER32(00000000,00007F83), ref: 00925076
                • LoadCursorW.USER32(00000000,00007F85), ref: 00925081
                • LoadCursorW.USER32(00000000,00007F82), ref: 0092508C
                • LoadCursorW.USER32(00000000,00007F84), ref: 00925097
                • LoadCursorW.USER32(00000000,00007F04), ref: 009250A2
                • LoadCursorW.USER32(00000000,00007F02), ref: 009250AD
                • LoadCursorW.USER32(00000000,00007F89), ref: 009250B8
                • GetCursorInfo.USER32(?), ref: 009250C8
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Cursor$Load$Info
                • String ID:
                • API String ID: 2577412497-0
                • Opcode ID: 4e29b0c7f11b837fabb4d94df8bae5496799daf0c89ace329dbeb477240487aa
                • Instruction ID: 436f067b5168595f58f172d6b3bb62a049509914c1d902007107c4ea17531bf4
                • Opcode Fuzzy Hash: 4e29b0c7f11b837fabb4d94df8bae5496799daf0c89ace329dbeb477240487aa
                • Instruction Fuzzy Hash: 7F31F2B1D483196ADF109FB69C899AEBFE8FF04750F50453AE50DE7281DA78A5008FA1
                Function 0093A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0093A259
                • DestroyWindow.USER32(?,?), ref: 0093A2D3
                  • Part of subcall function 008B7BCC: _memmove.LIBCMT ref: 008B7C06
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0093A34D
                • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0093A36F
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0093A382
                • DestroyWindow.USER32(00000000), ref: 0093A3A4
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008B0000,00000000), ref: 0093A3DB
                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0093A3F4
                • GetDesktopWindow.USER32 ref: 0093A40D
                • GetWindowRect.USER32(00000000), ref: 0093A414
                • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0093A42C
                • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0093A444
                  • Part of subcall function 008B25DB: GetWindowLongW.USER32(?,000000EB), ref: 008B25EC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                • String ID: 0$tooltips_class32
                • API String ID: 1297703922-3619404913
                • Opcode ID: 6431a7e8c147b14b70d52a3b6a2918f7c05a02fa153745c50a31a6d72e782ded
                • Instruction ID: 2b987dda14d38c6b66b31a26befa7c6ea534e70de8b536105e75632331fb9f86
                • Opcode Fuzzy Hash: 6431a7e8c147b14b70d52a3b6a2918f7c05a02fa153745c50a31a6d72e782ded
                • Instruction Fuzzy Hash: FE718971554204AFDB25CF28CC49FAA7BEAFB88304F04492DF985872B0D7B4A946DF52
                Function 0093C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B2612: GetWindowLongW.USER32(?,000000EB), ref: 008B2623
                • DragQueryPoint.SHELL32(?,?), ref: 0093C627
                  • Part of subcall function 0093AB37: ClientToScreen.USER32(?,?), ref: 0093AB60
                  • Part of subcall function 0093AB37: GetWindowRect.USER32(?,?), ref: 0093ABD6
                  • Part of subcall function 0093AB37: PtInRect.USER32(?,?,0093C014), ref: 0093ABE6
                • SendMessageW.USER32(?,000000B0,?,?), ref: 0093C690
                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0093C69B
                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0093C6BE
                • _wcscat.LIBCMT ref: 0093C6EE
                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0093C705
                • SendMessageW.USER32(?,000000B0,?,?), ref: 0093C71E
                • SendMessageW.USER32(?,000000B1,?,?), ref: 0093C735
                • SendMessageW.USER32(?,000000B1,?,?), ref: 0093C757
                • DragFinish.SHELL32(?), ref: 0093C75E
                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0093C851
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                • API String ID: 169749273-3440237614
                • Opcode ID: 1bcf9625bbdcb864c1db58cde25e82481e07275da97206c76f501386fe07db13
                • Instruction ID: a631e0c693e538fbe777079d683b5adfc88a8c93df7491d655e7f263b1750c12
                • Opcode Fuzzy Hash: 1bcf9625bbdcb864c1db58cde25e82481e07275da97206c76f501386fe07db13
                • Instruction Fuzzy Hash: 72615971508301AFC701EF64DC85EABBBE8FF89754F00092EF595922A1DB709A49CB52
                Function 00934392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 00934424
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0093446F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: BuffCharMessageSendUpper
                • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                • API String ID: 3974292440-4258414348
                • Opcode ID: f7d4cbb89069e09d1328cd501bb3824b1e7a5074c232a54a4c7dfe1128354abb
                • Instruction ID: 7c1a46e6465bf7b44c941195b761541d86fe3b9289caf8e2c28ee9763bb7f485
                • Opcode Fuzzy Hash: f7d4cbb89069e09d1328cd501bb3824b1e7a5074c232a54a4c7dfe1128354abb
                • Instruction Fuzzy Hash: D89148702047119FCB14EF14C452AAEB7E5FF95354F058869F8969B3A2CB35ED09CB82
                Function 0093B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                Download Yara Rule
                APIs
                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0093B8B4
                • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009391C2), ref: 0093B910
                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0093B949
                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0093B98C
                • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0093B9C3
                • FreeLibrary.KERNEL32(?), ref: 0093B9CF
                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0093B9DF
                • DestroyIcon.USER32(?,?,?,?,?,009391C2), ref: 0093B9EE
                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0093BA0B
                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0093BA17
                  • Part of subcall function 008D2EFD: __wcsicmp_l.LIBCMT ref: 008D2F86
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                • String ID: .dll$.exe$.icl
                • API String ID: 1212759294-1154884017
                • Opcode ID: df358f5004dff1f6c9b1233f72ddcec1cf8edd707794bbba44acf4344a22aba7
                • Instruction ID: 6ee84d4e46b19b4feb455965be08adb1a5015e0e74621539e2bb2d1ba3bba9fd
                • Opcode Fuzzy Hash: df358f5004dff1f6c9b1233f72ddcec1cf8edd707794bbba44acf4344a22aba7
                • Instruction Fuzzy Hash: 6561FF71940219BAEB14DF68CC41FBE7BACFF08724F10461AFA15D61D1DB749980DBA0
                Function 0091DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                Download Yara Rule
                APIs
                • GetLocalTime.KERNEL32(?), ref: 0091DCDC
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0091DCEC
                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0091DCF8
                • __wsplitpath.LIBCMT ref: 0091DD56
                • _wcscat.LIBCMT ref: 0091DD6E
                • _wcscat.LIBCMT ref: 0091DD80
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0091DD95
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0091DDA9
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0091DDDB
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0091DDFC
                • _wcscpy.LIBCMT ref: 0091DE08
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0091DE47
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                • String ID: *.*
                • API String ID: 3566783562-438819550
                • Opcode ID: 4486c519c6c3a176c611bf685e5ff8ada33754115a4c019dc767b43b8385b3bc
                • Instruction ID: 74f3038c34d404a1165dd3bb172145a6a867003aebc8d9fe2724f3439a1f12e5
                • Opcode Fuzzy Hash: 4486c519c6c3a176c611bf685e5ff8ada33754115a4c019dc767b43b8385b3bc
                • Instruction Fuzzy Hash: 2F615C726082499FCB10EF64C8449EEB3E8FF89314F04492EF999C7251DB31E945CB92
                Function 00919C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00919C7F
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00919CA0
                • __swprintf.LIBCMT ref: 00919CF9
                • __swprintf.LIBCMT ref: 00919D12
                • _wprintf.LIBCMT ref: 00919DB9
                • _wprintf.LIBCMT ref: 00919DD7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: LoadString__swprintf_wprintf$_memmove
                • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                • API String ID: 311963372-3080491070
                • Opcode ID: 2701feecf07afaf3fb8915a1593293dabcf2b7d9e9842bef3888e2025648f5af
                • Instruction ID: 456b03f9c2f94c2362cb1dc01b4deff85c4651c1a2b5bd0111efc806ca939ea6
                • Opcode Fuzzy Hash: 2701feecf07afaf3fb8915a1593293dabcf2b7d9e9842bef3888e2025648f5af
                • Instruction Fuzzy Hash: 4C51B431900609AACF14EBE4DD56EEEBB78FF54300F500165F519B21A2EB312F88DB62
                Function 0091A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                • CharLowerBuffW.USER32(?,?), ref: 0091A3CB
                • GetDriveTypeW.KERNEL32 ref: 0091A418
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0091A460
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0091A497
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0091A4C5
                  • Part of subcall function 008B7BCC: _memmove.LIBCMT ref: 008B7C06
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                • API String ID: 2698844021-4113822522
                • Opcode ID: c603c5d0d6e57386db0a86ad4f41168729cf9ff80460cc75326fd943e0daf304
                • Instruction ID: 6ff641aee9f13ae05ff3b401129936aeb6909bf5eacaf76f459b03a572a7c6fc
                • Opcode Fuzzy Hash: c603c5d0d6e57386db0a86ad4f41168729cf9ff80460cc75326fd943e0daf304
                • Instruction Fuzzy Hash: 4E513A712083059FC700EF24C8919AAB7E8FF94718F04496DF89A973A1DB31AD09CF52
                Function 0090F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,008EE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0090F8DF
                • LoadStringW.USER32(00000000,?,008EE029,00000001), ref: 0090F8E8
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                • GetModuleHandleW.KERNEL32(00000000,00975310,?,00000FFF,?,?,008EE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0090F90A
                • LoadStringW.USER32(00000000,?,008EE029,00000001), ref: 0090F90D
                • __swprintf.LIBCMT ref: 0090F95D
                • __swprintf.LIBCMT ref: 0090F96E
                • _wprintf.LIBCMT ref: 0090FA17
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0090FA2E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                • API String ID: 984253442-2268648507
                • Opcode ID: 5bb71abf423572efde044e9ef5d04bf402dbe2f521bfabbfdebf70b034036481
                • Instruction ID: f32dec65ff5a3cfc9127540aba9b2b7522a7b3699a2192580d8eb656bc06cb04
                • Opcode Fuzzy Hash: 5bb71abf423572efde044e9ef5d04bf402dbe2f521bfabbfdebf70b034036481
                • Instruction Fuzzy Hash: 82415E72904209AACF14FBE8DD96EEE7B78FF54300F500065F505B21A6EA316F49CB62
                Function 0093BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00939207,?,?), ref: 0093BA56
                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00939207,?,?,00000000,?), ref: 0093BA6D
                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00939207,?,?,00000000,?), ref: 0093BA78
                • CloseHandle.KERNEL32(00000000,?,?,?,?,00939207,?,?,00000000,?), ref: 0093BA85
                • GlobalLock.KERNEL32(00000000), ref: 0093BA8E
                • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00939207,?,?,00000000,?), ref: 0093BA9D
                • GlobalUnlock.KERNEL32(00000000), ref: 0093BAA6
                • CloseHandle.KERNEL32(00000000,?,?,?,?,00939207,?,?,00000000,?), ref: 0093BAAD
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00939207,?,?,00000000,?), ref: 0093BABE
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00942CAC,?), ref: 0093BAD7
                • GlobalFree.KERNEL32(00000000), ref: 0093BAE7
                • GetObjectW.GDI32(00000000,00000018,?), ref: 0093BB0B
                • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0093BB36
                • DeleteObject.GDI32(00000000), ref: 0093BB5E
                • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0093BB74
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                • String ID:
                • API String ID: 3840717409-0
                • Opcode ID: 832961ec87cdc24ae9b344fe54b0c5ca625c518549dbc1acc8c88b445a030faa
                • Instruction ID: 35adaec527ceb7807205594fbb0345ff998c306d48259ef562e505961ee1f501
                • Opcode Fuzzy Hash: 832961ec87cdc24ae9b344fe54b0c5ca625c518549dbc1acc8c88b445a030faa
                • Instruction Fuzzy Hash: 49410875A14208EFDB119F65DC98EABBBB8EB89711F104069F919D7260DB309E01DF60
                Function 0091D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                Download Yara Rule
                APIs
                • __wsplitpath.LIBCMT ref: 0091DA10
                • _wcscat.LIBCMT ref: 0091DA28
                • _wcscat.LIBCMT ref: 0091DA3A
                • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0091DA4F
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0091DA63
                • GetFileAttributesW.KERNEL32(?), ref: 0091DA7B
                • SetFileAttributesW.KERNEL32(?,00000000), ref: 0091DA95
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0091DAA7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                • String ID: *.*
                • API String ID: 34673085-438819550
                • Opcode ID: 80a4aee31e1024a9f84602824a280dc89d0de88ade794557515a9ddcc1ef1286
                • Instruction ID: 10dafdfbc946d179a7cbe24cc091ca87db89daf825a7bb9b4259619a64f3264f
                • Opcode Fuzzy Hash: 80a4aee31e1024a9f84602824a280dc89d0de88ade794557515a9ddcc1ef1286
                • Instruction Fuzzy Hash: E081727160A2499FCB24DF68C845AEEB7E8FF89310F144D2EF889C7251D634E985CB52
                Function 0093C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B2612: GetWindowLongW.USER32(?,000000EB), ref: 008B2623
                • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0093C1FC
                • GetFocus.USER32 ref: 0093C20C
                • GetDlgCtrlID.USER32(00000000), ref: 0093C217
                • _memset.LIBCMT ref: 0093C342
                • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0093C36D
                • GetMenuItemCount.USER32(?), ref: 0093C38D
                • GetMenuItemID.USER32(?,00000000), ref: 0093C3A0
                • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0093C3D4
                • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0093C41C
                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0093C454
                • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0093C489
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                • String ID: 0
                • API String ID: 1296962147-4108050209
                • Opcode ID: f009d33cc28910e069581d2da63d67f8956774e990eb45056751dd07fd2fad9e
                • Instruction ID: 681850e71ee71a5c95728a5b1fc4d45c7dcb52cd4dab995f5834554e75ad8cec
                • Opcode Fuzzy Hash: f009d33cc28910e069581d2da63d67f8956774e990eb45056751dd07fd2fad9e
                • Instruction Fuzzy Hash: CA819EB1608701AFD710DF24C894A7BBBE9FB88714F00492EF995A72A1D770D905DF92
                Function 0092731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 0092738F
                • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0092739B
                • CreateCompatibleDC.GDI32(?), ref: 009273A7
                • SelectObject.GDI32(00000000,?), ref: 009273B4
                • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00927408
                • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00927444
                • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00927468
                • SelectObject.GDI32(00000006,?), ref: 00927470
                • DeleteObject.GDI32(?), ref: 00927479
                • DeleteDC.GDI32(00000006), ref: 00927480
                • ReleaseDC.USER32(00000000,?), ref: 0092748B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                • String ID: (
                • API String ID: 2598888154-3887548279
                • Opcode ID: 4311c41267bde2298cf27658f71462c839d760bfaaf079867417831c850f7fab
                • Instruction ID: 97ccf9fab014731e86cbb8a5ba5d78fba8280947870db89be43055372e3ed49c
                • Opcode Fuzzy Hash: 4311c41267bde2298cf27658f71462c839d760bfaaf079867417831c850f7fab
                • Instruction Fuzzy Hash: E5514775904319EFCB14CFA8EC85EAEBBB9EF48310F14852EF95AA7210C731A9409F50
                Function 008B6A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008D0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,008B6B0C,?,00008000), ref: 008D0973
                  • Part of subcall function 008B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008B4743,?,?,008B37AE,?), ref: 008B4770
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 008B6BAD
                • SetCurrentDirectoryW.KERNEL32(?), ref: 008B6CFA
                  • Part of subcall function 008B586D: _wcscpy.LIBCMT ref: 008B58A5
                  • Part of subcall function 008D363D: _iswctype.LIBCMT ref: 008D3645
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                • API String ID: 537147316-1018226102
                • Opcode ID: d9fe9f9a3a195756aacabe4aa78a5d87905dc5c9cb6bef2191c1bfde18a5d9be
                • Instruction ID: abbb0caf559b6655a52cb69d39949061194b754ed2e3af374a6233d0d5fc65c2
                • Opcode Fuzzy Hash: d9fe9f9a3a195756aacabe4aa78a5d87905dc5c9cb6bef2191c1bfde18a5d9be
                • Instruction Fuzzy Hash: 920245311083419FC724EF28C891AAFBBE5FF99314F14492DF49AD72A1DA319A49CB52
                Function 00912D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00912D50
                • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00912DDD
                • GetMenuItemCount.USER32(00975890), ref: 00912E66
                • DeleteMenu.USER32(00975890,00000005,00000000,000000F5,?,?), ref: 00912EF6
                • DeleteMenu.USER32(00975890,00000004,00000000), ref: 00912EFE
                • DeleteMenu.USER32(00975890,00000006,00000000), ref: 00912F06
                • DeleteMenu.USER32(00975890,00000003,00000000), ref: 00912F0E
                • GetMenuItemCount.USER32(00975890), ref: 00912F16
                • SetMenuItemInfoW.USER32(00975890,00000004,00000000,00000030), ref: 00912F4C
                • GetCursorPos.USER32(?), ref: 00912F56
                • SetForegroundWindow.USER32(00000000), ref: 00912F5F
                • TrackPopupMenuEx.USER32(00975890,00000000,?,00000000,00000000,00000000), ref: 00912F72
                • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00912F7E
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                • String ID:
                • API String ID: 3993528054-0
                • Opcode ID: 022b153a22f74cb7d9f67669ac8054b6099fa90de9bf6a1dfe8988a6e6062a8c
                • Instruction ID: 7e6da73813ad99b7f7c00e5c9dd261b492a541faca29c0a88a3ecc98d08c8d7d
                • Opcode Fuzzy Hash: 022b153a22f74cb7d9f67669ac8054b6099fa90de9bf6a1dfe8988a6e6062a8c
                • Instruction Fuzzy Hash: 7E71C17074420DBAEB21AF54DC85FEABF68FB44724F100216F625AA1E1C7B16CB0DB94
                Function 009077DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7BCC: _memmove.LIBCMT ref: 008B7C06
                • _memset.LIBCMT ref: 0090786B
                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009078A0
                • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009078BC
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009078D8
                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00907902
                • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0090792A
                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00907935
                • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0090793A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                • API String ID: 1411258926-22481851
                • Opcode ID: 44f74e8e3b0d32d4debf7c56e563e29f4f2118052070a0920eb00b55603993b3
                • Instruction ID: 00b04eb51f39be2a14c9e50e96be59eb11082bbe4a550af0fa2d05c6492e6b5d
                • Opcode Fuzzy Hash: 44f74e8e3b0d32d4debf7c56e563e29f4f2118052070a0920eb00b55603993b3
                • Instruction Fuzzy Hash: 24411872C1422DAACF15EBA8DC95DEDB778FF54310F044029E915A32A1DA309D04CBA1
                Function 00930E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092FDAD,?,?), ref: 00930E31
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: BuffCharUpper
                • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                • API String ID: 3964851224-909552448
                • Opcode ID: e9c4b961679196c0b9fb2a664a6b02890d32cd0cba3ed1d0db9394e810dbeb8c
                • Instruction ID: 7a5155d7af81c9694812fbae9650ea469927eec018e09083219b72948fbde968
                • Opcode Fuzzy Hash: e9c4b961679196c0b9fb2a664a6b02890d32cd0cba3ed1d0db9394e810dbeb8c
                • Instruction Fuzzy Hash: AD41393220035A8BCF20EF14D966AEE37A8FF91344F140455FC559B2A2DB349D1ACFA1
                Function 0090F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,008EE2A0,00000010,?,Bad directive syntax error,0093F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0090F7C2
                • LoadStringW.USER32(00000000,?,008EE2A0,00000010), ref: 0090F7C9
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                • _wprintf.LIBCMT ref: 0090F7FC
                • __swprintf.LIBCMT ref: 0090F81E
                • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0090F88D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                • API String ID: 1506413516-4153970271
                • Opcode ID: 83b7278ec0b49f4ca90606062d958eae50886a0c839371c9061b8a880c6de68e
                • Instruction ID: ea019996aba116e494b733b2c2ceadd556cb88660272fcdf8afe24f34a73ce48
                • Opcode Fuzzy Hash: 83b7278ec0b49f4ca90606062d958eae50886a0c839371c9061b8a880c6de68e
                • Instruction Fuzzy Hash: A521913290421EEFCF11EF94CC6AEEE7B78FF14304F044466F515A61A2DA31A618DB52
                Function 009152C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7BCC: _memmove.LIBCMT ref: 008B7C06
                  • Part of subcall function 008B7924: _memmove.LIBCMT ref: 008B79AD
                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00915330
                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00915346
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00915357
                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00915369
                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0091537A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: SendString$_memmove
                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                • API String ID: 2279737902-1007645807
                • Opcode ID: b135330090afa5d53ad345ecd5acedb8c83756c08a29654b1da19919eb72c01e
                • Instruction ID: 790a7e3b3a6731e633ae49888c60fd4c4d3cc7005cbc6efbcaf2ef72d0cdcbe3
                • Opcode Fuzzy Hash: b135330090afa5d53ad345ecd5acedb8c83756c08a29654b1da19919eb72c01e
                • Instruction Fuzzy Hash: 6F118F21A5026DB9D720B765CC5ADFFBBBCFBD1B44F410529B411E21E1EEA00D45C9A1
                Function 009146B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                • String ID: 0.0.0.0
                • API String ID: 208665112-3771769585
                • Opcode ID: 725deff117d31a9f1bd7080c94a28f51d41769b5cbced87ad0cd199b2d9d5625
                • Instruction ID: a8c790c351ce6bf330c1b4d3b9797ce510ab8ddcb2afca4416dae0bbed2d46ae
                • Opcode Fuzzy Hash: 725deff117d31a9f1bd7080c94a28f51d41769b5cbced87ad0cd199b2d9d5625
                • Instruction Fuzzy Hash: 37112431A04108AFCB24BB74DC4AEEA77BCEF46711F0002B6F446D61A1EF708AC1DA61
                Function 00914F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                Download Yara Rule
                APIs
                • timeGetTime.WINMM ref: 00914F7A
                  • Part of subcall function 008D049F: timeGetTime.WINMM(?,75A8B400,008C0E7B), ref: 008D04A3
                • Sleep.KERNEL32(0000000A), ref: 00914FA6
                • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00914FCA
                • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00914FEC
                • SetActiveWindow.USER32 ref: 0091500B
                • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00915019
                • SendMessageW.USER32(00000010,00000000,00000000), ref: 00915038
                • Sleep.KERNEL32(000000FA), ref: 00915043
                • IsWindow.USER32 ref: 0091504F
                • EndDialog.USER32(00000000), ref: 00915060
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                • String ID: BUTTON
                • API String ID: 1194449130-3405671355
                • Opcode ID: 32ad1a07c0b9dfb0614e92270c39d55951336dd6bda44ecd497703bd5c5faf04
                • Instruction ID: 5de2f1c1d6e5e5828fc2c8bbdb85debc4dba9e5945184b5f3d2cf1e487c74bcc
                • Opcode Fuzzy Hash: 32ad1a07c0b9dfb0614e92270c39d55951336dd6bda44ecd497703bd5c5faf04
                • Instruction Fuzzy Hash: E621A47171CA09AFE7115F60ED99B663B69EB88749F051028F109812B1EB718DC4FA62
                Function 0091D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                • CoInitialize.OLE32(00000000), ref: 0091D5EA
                • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0091D67D
                • SHGetDesktopFolder.SHELL32(?), ref: 0091D691
                • CoCreateInstance.OLE32(00942D7C,00000000,00000001,00968C1C,?), ref: 0091D6DD
                • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0091D74C
                • CoTaskMemFree.OLE32(?,?), ref: 0091D7A4
                • _memset.LIBCMT ref: 0091D7E1
                • SHBrowseForFolderW.SHELL32(?), ref: 0091D81D
                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0091D840
                • CoTaskMemFree.OLE32(00000000), ref: 0091D847
                • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0091D87E
                • CoUninitialize.OLE32(00000001,00000000), ref: 0091D880
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                • String ID:
                • API String ID: 1246142700-0
                • Opcode ID: 9c8291dc4fc6d3a5c08c59ad543b7b6f85a1bf9cd193963070ee3631ebe6a585
                • Instruction ID: 75eeaa2f6d8c05866051890051e60c2eabf4e47746e3661531e04f3024dad607
                • Opcode Fuzzy Hash: 9c8291dc4fc6d3a5c08c59ad543b7b6f85a1bf9cd193963070ee3631ebe6a585
                • Instruction Fuzzy Hash: 30B1EB75A00119AFDB04DFA8C898DAEBBB9FF49314B1484A9F909DB261DB30ED41CF51
                Function 0090C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,00000001), ref: 0090C283
                • GetWindowRect.USER32(00000000,?), ref: 0090C295
                • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0090C2F3
                • GetDlgItem.USER32(?,00000002), ref: 0090C2FE
                • GetWindowRect.USER32(00000000,?), ref: 0090C310
                • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0090C364
                • GetDlgItem.USER32(?,000003E9), ref: 0090C372
                • GetWindowRect.USER32(00000000,?), ref: 0090C383
                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0090C3C6
                • GetDlgItem.USER32(?,000003EA), ref: 0090C3D4
                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0090C3F1
                • InvalidateRect.USER32(?,00000000,00000001), ref: 0090C3FE
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$ItemMoveRect$Invalidate
                • String ID:
                • API String ID: 3096461208-0
                • Opcode ID: 10a0d7070f2d69f8cf23b072cf3870d47b18252da72e81cfa1a2a4f8dabc2b9a
                • Instruction ID: 885a9aec60c641cae6678fa30dcc8357e10f45bcfe5aa93746df71abf45e611e
                • Opcode Fuzzy Hash: 10a0d7070f2d69f8cf23b072cf3870d47b18252da72e81cfa1a2a4f8dabc2b9a
                • Instruction Fuzzy Hash: 745113B1B10205AFDF18CFA9DD99A6EBBBAEB88711F14812DF515D72D0D7709D408B10
                Function 008B201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008B2036,?,00000000,?,?,?,?,008B16CB,00000000,?), ref: 008B1B9A
                • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008B20D3
                • KillTimer.USER32(-00000001,?,?,?,?,008B16CB,00000000,?,?,008B1AE2,?,?), ref: 008B216E
                • DestroyAcceleratorTable.USER32(00000000), ref: 008EBCA6
                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008B16CB,00000000,?,?,008B1AE2,?,?), ref: 008EBCD7
                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008B16CB,00000000,?,?,008B1AE2,?,?), ref: 008EBCEE
                • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008B16CB,00000000,?,?,008B1AE2,?,?), ref: 008EBD0A
                • DeleteObject.GDI32(00000000), ref: 008EBD1C
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                • String ID:
                • API String ID: 641708696-0
                • Opcode ID: 8692dcab668fc2ac7fba5a6e1bdcaccfd2cb573893d2d0bae4f8d6ddaa4384ff
                • Instruction ID: bcbd7ba3d624ed84c98501e772c2bddb4f89497329f795acd862d4283dd2a632
                • Opcode Fuzzy Hash: 8692dcab668fc2ac7fba5a6e1bdcaccfd2cb573893d2d0bae4f8d6ddaa4384ff
                • Instruction Fuzzy Hash: 62619D31628A04DFCB35AF19CD58BAA77F1FB41316F10852DE446CA670C7B0A881EF41
                Function 008B21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B25DB: GetWindowLongW.USER32(?,000000EB), ref: 008B25EC
                • GetSysColor.USER32(0000000F), ref: 008B21D3
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ColorLongWindow
                • String ID:
                • API String ID: 259745315-0
                • Opcode ID: 1af0e685a81b675e4f55995494260a8011d51fd4101c2b4d3e5d801b57415449
                • Instruction ID: 97c50f277b2235036b3b30af113adaa67b28de50477eca674aff24aa895a673f
                • Opcode Fuzzy Hash: 1af0e685a81b675e4f55995494260a8011d51fd4101c2b4d3e5d801b57415449
                • Instruction Fuzzy Hash: F541BF31408144ABDB259F68EC98BF97B65FB06331F184265FE65CA2E5C7318C42EB21
                Function 0091A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(?,?,0093F910), ref: 0091A90B
                • GetDriveTypeW.KERNEL32(00000061,009689A0,00000061), ref: 0091A9D5
                • _wcscpy.LIBCMT ref: 0091A9FF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: BuffCharDriveLowerType_wcscpy
                • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                • API String ID: 2820617543-1000479233
                • Opcode ID: 03c4798228ff381a64b393c03fd7cb61a6f055c73884173037239a3ccabd412d
                • Instruction ID: 48c65cf2fb015c636882aeac904a697426cfb5fb46ce416eae6072de62cd2ba0
                • Opcode Fuzzy Hash: 03c4798228ff381a64b393c03fd7cb61a6f055c73884173037239a3ccabd412d
                • Instruction Fuzzy Hash: E8518A312083059BC710EF18C992AEFB7E9FF85344F14492DF596972A2DB319D89CA93
                Function 008B9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __i64tow__itow__swprintf
                • String ID: %.15g$0x%p$False$True
                • API String ID: 421087845-2263619337
                • Opcode ID: 418c29f4f5643feef45f70a4a3e73ab9d9039f469be45f8e00348ebc18da3adc
                • Instruction ID: ddc4096adffe9f5ea7926f3d75a5ad41e4ee944e7bcd041ad0f503718a2f5d9e
                • Opcode Fuzzy Hash: 418c29f4f5643feef45f70a4a3e73ab9d9039f469be45f8e00348ebc18da3adc
                • Instruction Fuzzy Hash: 3641E571600209AFDB24DF39D842EBA73E9FF56304F20457EE699D7392EA319941CB11
                Function 00937152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0093716A
                • CreateMenu.USER32 ref: 00937185
                • SetMenu.USER32(?,00000000), ref: 00937194
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00937221
                • IsMenu.USER32(?), ref: 00937237
                • CreatePopupMenu.USER32 ref: 00937241
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0093726E
                • DrawMenuBar.USER32 ref: 00937276
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                • String ID: 0$F
                • API String ID: 176399719-3044882817
                • Opcode ID: 0a4e09b1dcc02219653f69779d85427bbb966d5741086066a50f979d8cae3b24
                • Instruction ID: c3797d46f4cc75de934cab5d1cc5235a53a20891ead9f80abd6510b4694868a8
                • Opcode Fuzzy Hash: 0a4e09b1dcc02219653f69779d85427bbb966d5741086066a50f979d8cae3b24
                • Instruction Fuzzy Hash: E44142B5A15209AFDB20DFA4D884EAABBB9FB08310F140028F955A7360D731AD10DFA0
                Function 009374BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0093755E
                • CreateCompatibleDC.GDI32(00000000), ref: 00937565
                • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00937578
                • SelectObject.GDI32(00000000,00000000), ref: 00937580
                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0093758B
                • DeleteDC.GDI32(00000000), ref: 00937594
                • GetWindowLongW.USER32(?,000000EC), ref: 0093759E
                • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009375B2
                • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009375BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                • String ID: static
                • API String ID: 2559357485-2160076837
                • Opcode ID: f73c61410341000dc3365b68b7e774ecf2f19e7a3b0d765a6e5834601e359a71
                • Instruction ID: bf9d37f77121b46f6ccc19362cae1fe4ad0a8cfc1b61c9ea5429fa3fcca41ef8
                • Opcode Fuzzy Hash: f73c61410341000dc3365b68b7e774ecf2f19e7a3b0d765a6e5834601e359a71
                • Instruction Fuzzy Hash: 8D318B72508219BBDF259FA4DC09FEA7BA9FF09324F110224FA15A60A0C731D811EFA0
                Function 008D6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 008D6E3E
                  • Part of subcall function 008D8B28: __getptd_noexit.LIBCMT ref: 008D8B28
                • __gmtime64_s.LIBCMT ref: 008D6ED7
                • __gmtime64_s.LIBCMT ref: 008D6F0D
                • __gmtime64_s.LIBCMT ref: 008D6F2A
                • __allrem.LIBCMT ref: 008D6F80
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D6F9C
                • __allrem.LIBCMT ref: 008D6FB3
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D6FD1
                • __allrem.LIBCMT ref: 008D6FE8
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008D7006
                • __invoke_watson.LIBCMT ref: 008D7077
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                • String ID:
                • API String ID: 384356119-0
                • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                • Instruction ID: c62011fdc0ab1de2455cdc5fb18919340d147ff32f389e46ccb3bffeb3f81eb4
                • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                • Instruction Fuzzy Hash: F071E276A40B1AABD714AA6DDC81B5AB3A8FF05324F14832BE414D73C1FB70DE508B91
                Function 00912527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00912542
                • GetMenuItemInfoW.USER32(00975890,000000FF,00000000,00000030), ref: 009125A3
                • SetMenuItemInfoW.USER32(00975890,00000004,00000000,00000030), ref: 009125D9
                • Sleep.KERNEL32(000001F4), ref: 009125EB
                • GetMenuItemCount.USER32(?), ref: 0091262F
                • GetMenuItemID.USER32(?,00000000), ref: 0091264B
                • GetMenuItemID.USER32(?,-00000001), ref: 00912675
                • GetMenuItemID.USER32(?,?), ref: 009126BA
                • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00912700
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00912714
                • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00912735
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                • String ID:
                • API String ID: 4176008265-0
                • Opcode ID: 367766256f167461761c9ecd682417bc041daf088101b1de98006c4be99db01d
                • Instruction ID: 8c061afce5f3de6c50b265f63b5cb3ffd21d6eda1c7014151559414e21a6b168
                • Opcode Fuzzy Hash: 367766256f167461761c9ecd682417bc041daf088101b1de98006c4be99db01d
                • Instruction Fuzzy Hash: 68619B70A1424DAFDB11EF64CC98AFF7BB9EB41344F14046AF841A3291D731ADA5DB20
                Function 00936F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00936FA5
                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00936FA8
                • GetWindowLongW.USER32(?,000000F0), ref: 00936FCC
                • _memset.LIBCMT ref: 00936FDD
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00936FEF
                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00937067
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$LongWindow_memset
                • String ID:
                • API String ID: 830647256-0
                • Opcode ID: 397b5824f44bcfd1c228e807f0f10e9ee7c05fef76e95b1e139463d29dde03fe
                • Instruction ID: f40dcc2fd7652cb5fff7d18aa312e1139cf4f2431af8cefe20e7a495055c47a0
                • Opcode Fuzzy Hash: 397b5824f44bcfd1c228e807f0f10e9ee7c05fef76e95b1e139463d29dde03fe
                • Instruction Fuzzy Hash: E8614A76A04208AFDB21DFA4CC81EEEB7B8EB09714F144159FA14AB2A1C771AD45DF90
                Function 00906B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                Download Yara Rule
                APIs
                • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00906BBF
                • SafeArrayAllocData.OLEAUT32(?), ref: 00906C18
                • VariantInit.OLEAUT32(?), ref: 00906C2A
                • SafeArrayAccessData.OLEAUT32(?,?), ref: 00906C4A
                • VariantCopy.OLEAUT32(?,?), ref: 00906C9D
                • SafeArrayUnaccessData.OLEAUT32(?), ref: 00906CB1
                • VariantClear.OLEAUT32(?), ref: 00906CC6
                • SafeArrayDestroyData.OLEAUT32(?), ref: 00906CD3
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00906CDC
                • VariantClear.OLEAUT32(?), ref: 00906CEE
                • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00906CF9
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                • String ID:
                • API String ID: 2706829360-0
                • Opcode ID: ae543e9eae7c8b9528c5c1500cc9d1d325efba7048dcaddf1a5f33e7a4513a75
                • Instruction ID: 2c624acf04c817de8a778d0d769ddb05c5d4db487a4e174a1606eee87214fe39
                • Opcode Fuzzy Hash: ae543e9eae7c8b9528c5c1500cc9d1d325efba7048dcaddf1a5f33e7a4513a75
                • Instruction Fuzzy Hash: 5F415171E04119AFDF00DF68D8589EEBBB9FF48354F008069E955E72A1CB30A955DF90
                Function 009283BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                • CoInitialize.OLE32 ref: 00928403
                • CoUninitialize.OLE32 ref: 0092840E
                • CoCreateInstance.OLE32(?,00000000,00000017,00942BEC,?), ref: 0092846E
                • IIDFromString.OLE32(?,?), ref: 009284E1
                • VariantInit.OLEAUT32(?), ref: 0092857B
                • VariantClear.OLEAUT32(?), ref: 009285DC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                • API String ID: 834269672-1287834457
                • Opcode ID: 1fd4d09d92c9e5ca3c14f57c7ebe8a0ff5942b9ef300e6b9a5a106c24ade6c35
                • Instruction ID: 9f72208bddc040a38bf6a507c7bab513f9f1d569b23cd5a3eff47ae9774f60b1
                • Opcode Fuzzy Hash: 1fd4d09d92c9e5ca3c14f57c7ebe8a0ff5942b9ef300e6b9a5a106c24ade6c35
                • Instruction Fuzzy Hash: 4161B0706093229FC710EF54E848F5BBBE8EF89754F004959F9859B2A1CB74ED48CB92
                Function 00925732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WSOCK32(00000101,?), ref: 00925793
                • inet_addr.WSOCK32(?,?,?), ref: 009257D8
                • gethostbyname.WSOCK32(?), ref: 009257E4
                • IcmpCreateFile.IPHLPAPI ref: 009257F2
                • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00925862
                • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00925878
                • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009258ED
                • WSACleanup.WSOCK32 ref: 009258F3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                • String ID: Ping
                • API String ID: 1028309954-2246546115
                • Opcode ID: 40928a7d1436acf500bb3e97ef7d6dab26a5a32310ef93093360fc3cfd85470c
                • Instruction ID: c05d56ccadfd442ca035d40f48d869863195656404d3f73d3baeaa2da6a4ff41
                • Opcode Fuzzy Hash: 40928a7d1436acf500bb3e97ef7d6dab26a5a32310ef93093360fc3cfd85470c
                • Instruction Fuzzy Hash: 835180316047109FD710EF24EC49B6AB7E8EF49720F054929F996DB2A5DB74E800DF42
                Function 0091B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0091B4D0
                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0091B546
                • GetLastError.KERNEL32 ref: 0091B550
                • SetErrorMode.KERNEL32(00000000,READY), ref: 0091B5BD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Error$Mode$DiskFreeLastSpace
                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                • API String ID: 4194297153-14809454
                • Opcode ID: 049dac20719846db505287c891ef749d2416c09fbe840aaf2da3aff2cacf923a
                • Instruction ID: f6832327bf68cb54c41f17debccbcf3e6aa7b024e8dbe0d11ec3c063ddc5689d
                • Opcode Fuzzy Hash: 049dac20719846db505287c891ef749d2416c09fbe840aaf2da3aff2cacf923a
                • Instruction Fuzzy Hash: C5318F35B00209EFCB10EB68C895EEEBBBAFF49314F144125F505DB291DB709A82CB51
                Function 00908F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                  • Part of subcall function 0090AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0090AABC
                • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00909014
                • GetDlgCtrlID.USER32 ref: 0090901F
                • GetParent.USER32 ref: 0090903B
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 0090903E
                • GetDlgCtrlID.USER32(?), ref: 00909047
                • GetParent.USER32(?), ref: 00909063
                • SendMessageW.USER32(00000000,?,?,00000111), ref: 00909066
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$CtrlParent$ClassName_memmove
                • String ID: ComboBox$ListBox
                • API String ID: 1536045017-1403004172
                • Opcode ID: fcc5f024df1ab02ebe0bd0e7537c37b1e4104931e6232d4f44e40980025ceaae
                • Instruction ID: 7f3eafc971f4e2c5f710535b450d8039525b45f326d809d03856804251651227
                • Opcode Fuzzy Hash: fcc5f024df1ab02ebe0bd0e7537c37b1e4104931e6232d4f44e40980025ceaae
                • Instruction Fuzzy Hash: 2721AE70E00208BFDF04ABA4CC95EFEBBB9EB89314F100119F961972E2DA755855DA20
                Function 0090907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                  • Part of subcall function 0090AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0090AABC
                • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009090FD
                • GetDlgCtrlID.USER32 ref: 00909108
                • GetParent.USER32 ref: 00909124
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 00909127
                • GetDlgCtrlID.USER32(?), ref: 00909130
                • GetParent.USER32(?), ref: 0090914C
                • SendMessageW.USER32(00000000,?,?,00000111), ref: 0090914F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$CtrlParent$ClassName_memmove
                • String ID: ComboBox$ListBox
                • API String ID: 1536045017-1403004172
                • Opcode ID: a854e2a1af2366fa99f56aed76724536302d01510b30893418d74af7d7fc672d
                • Instruction ID: dc8f406f06159e6b5456998d2dc689d97f4fc281b94c3a8c993820cc9d25db2f
                • Opcode Fuzzy Hash: a854e2a1af2366fa99f56aed76724536302d01510b30893418d74af7d7fc672d
                • Instruction Fuzzy Hash: E221B374E04208BFDF01ABA5CC95EFEBBB9EF84304F104015F951972E2DB755815DA21
                Function 00909163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32 ref: 0090916F
                • GetClassNameW.USER32(00000000,?,00000100), ref: 00909184
                • _wcscmp.LIBCMT ref: 00909196
                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00909211
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ClassMessageNameParentSend_wcscmp
                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                • API String ID: 1704125052-3381328864
                • Opcode ID: 1af8c005cb095aea6eb5400c8c9feb134e9a03efc3140826874fd747c1e5b1e2
                • Instruction ID: b99057826051f533c5fe681f7da37c92ed1fb9c06925f26fc352551371f3d9a9
                • Opcode Fuzzy Hash: 1af8c005cb095aea6eb5400c8c9feb134e9a03efc3140826874fd747c1e5b1e2
                • Instruction Fuzzy Hash: 89118C3628C307BEFA10262CEC0BDA777DCEB21338B200127F910E00E3FE6268115991
                Function 009288AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 009288D7
                • CoInitialize.OLE32(00000000), ref: 00928904
                • CoUninitialize.OLE32 ref: 0092890E
                • GetRunningObjectTable.OLE32(00000000,?), ref: 00928A0E
                • SetErrorMode.KERNEL32(00000001,00000029), ref: 00928B3B
                • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00942C0C), ref: 00928B6F
                • CoGetObject.OLE32(?,00000000,00942C0C,?), ref: 00928B92
                • SetErrorMode.KERNEL32(00000000), ref: 00928BA5
                • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00928C25
                • VariantClear.OLEAUT32(?), ref: 00928C35
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                • String ID:
                • API String ID: 2395222682-0
                • Opcode ID: 5ce8635ffc18f6c7893bddea77a275e0f056dd8972c1931cb0f83cd952a8da14
                • Instruction ID: 14da0763456105ca64c2dfe84e30bfbb6c69371104436c906b173cb72be7f912
                • Opcode Fuzzy Hash: 5ce8635ffc18f6c7893bddea77a275e0f056dd8972c1931cb0f83cd952a8da14
                • Instruction Fuzzy Hash: BBC135B1609315AFC700DF68D884A6BB7E9FF88348F00491DF58A9B260DB71ED05CB52
                Function 00917990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                Download Yara Rule
                APIs
                • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00917A6C
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ArraySafeVartype
                • String ID:
                • API String ID: 1725837607-0
                • Opcode ID: 75a5950edcc4cbb1a5b7d9a98a9e6f684661d593878154539b2c31b3a2aafe92
                • Instruction ID: 4b72b01271b84a5705dd1c8dbd2402809ade2335b30064cb85846115edee1be3
                • Opcode Fuzzy Hash: 75a5950edcc4cbb1a5b7d9a98a9e6f684661d593878154539b2c31b3a2aafe92
                • Instruction Fuzzy Hash: 5EB14A71A0821A9FDB00DFE8C885BFEB7B9EF49321F244429E651E7351D734A981CB91
                Function 009111CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 009111F0
                • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00910268,?,00000001), ref: 00911204
                • GetWindowThreadProcessId.USER32(00000000), ref: 0091120B
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00910268,?,00000001), ref: 0091121A
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 0091122C
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00910268,?,00000001), ref: 00911245
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00910268,?,00000001), ref: 00911257
                • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00910268,?,00000001), ref: 0091129C
                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00910268,?,00000001), ref: 009112B1
                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00910268,?,00000001), ref: 009112BC
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                • String ID:
                • API String ID: 2156557900-0
                • Opcode ID: 5f34389c0c28961bbb187b9f1c43989aa941c46292bdfa0ef93e1e9b76a23393
                • Instruction ID: 1cf80f19246c77e774fea7ca0226275738f73aa9bbd512487f8d91e06df98d77
                • Opcode Fuzzy Hash: 5f34389c0c28961bbb187b9f1c43989aa941c46292bdfa0ef93e1e9b76a23393
                • Instruction Fuzzy Hash: 3C31DD76B28A08BBDB109F50EC88FA937ADEB54311F104525FA18C61A0D3B49DC0AF60
                Function 008EBDA2 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000008), ref: 008B2231
                • SetTextColor.GDI32(?,000000FF), ref: 008B223B
                • SetBkMode.GDI32(?,00000001), ref: 008B2250
                • GetStockObject.GDI32(00000005), ref: 008B2258
                • GetClientRect.USER32(?), ref: 008EBDBB
                • SendMessageW.USER32(?,00001328,00000000,?), ref: 008EBDD2
                • GetWindowDC.USER32(?), ref: 008EBDDE
                • GetPixel.GDI32(00000000,?,?), ref: 008EBDED
                • ReleaseDC.USER32(?,00000000), ref: 008EBDFF
                • GetSysColor.USER32(00000005), ref: 008EBE1D
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                • String ID:
                • API String ID: 3430376129-0
                • Opcode ID: 307742b068b9c97bdb382223fa8f94081cc46b6739c3eb4537fdf062cc11a69d
                • Instruction ID: 0a9077b487900ab3ce18d8013ed8f5f8dad3d480ffbb758c5cbdbc17ef3dc2b7
                • Opcode Fuzzy Hash: 307742b068b9c97bdb382223fa8f94081cc46b6739c3eb4537fdf062cc11a69d
                • Instruction Fuzzy Hash: 79214432918209FFDB216BA4EC19BEA7B61FB09326F104265FA26951B1CB310951EF11
                Function 008BFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                Download Yara Rule
                APIs
                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008BFAA6
                • OleUninitialize.OLE32(?,00000000), ref: 008BFB45
                • UnregisterHotKey.USER32(?), ref: 008BFC9C
                • DestroyWindow.USER32(?), ref: 008F45D6
                • FreeLibrary.KERNEL32(?), ref: 008F463B
                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 008F4668
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                • String ID: close all
                • API String ID: 469580280-3243417748
                • Opcode ID: f1f1efbd7d74f342dfbfd8fad18cd7cf7d15bf2ecb308440fd4a02680de22e35
                • Instruction ID: 27fc8487fe9251266875d56860c48cd1f6a48e2bd55d01be4321dbc247cf904f
                • Opcode Fuzzy Hash: f1f1efbd7d74f342dfbfd8fad18cd7cf7d15bf2ecb308440fd4a02680de22e35
                • Instruction Fuzzy Hash: 5AA16F3070111A8FDB18EF24C9A4B69B760FF15714F1442ADEA0AEB362DB30AD56CF51
                Function 0090A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                Download Yara Rule
                APIs
                • EnumChildWindows.USER32(?,0090A439), ref: 0090A377
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ChildEnumWindows
                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                • API String ID: 3555792229-1603158881
                • Opcode ID: 489b496b2b16d8970baf28c3b04aa06b1a7e176e409f6af837715f0c6b45bbf8
                • Instruction ID: 49268fb466a6cf8b39b5d6f12e358b6b9aa2eabe2182a4e580425f7cd5717f20
                • Opcode Fuzzy Hash: 489b496b2b16d8970baf28c3b04aa06b1a7e176e409f6af837715f0c6b45bbf8
                • Instruction Fuzzy Hash: 8E91A431604706EECB08DFA8C442BEEFBB8FF04314F54852AD459A7291DB316999CBD2
                Function 008B2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                Download Yara Rule
                APIs
                • SetWindowLongW.USER32(?,000000EB), ref: 008B2EAE
                  • Part of subcall function 008B1DB3: GetClientRect.USER32(?,?), ref: 008B1DDC
                  • Part of subcall function 008B1DB3: GetWindowRect.USER32(?,?), ref: 008B1E1D
                  • Part of subcall function 008B1DB3: ScreenToClient.USER32(?,?), ref: 008B1E45
                • GetDC.USER32 ref: 008ECD32
                • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008ECD45
                • SelectObject.GDI32(00000000,00000000), ref: 008ECD53
                • SelectObject.GDI32(00000000,00000000), ref: 008ECD68
                • ReleaseDC.USER32(?,00000000), ref: 008ECD70
                • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008ECDFB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                • String ID: U
                • API String ID: 4009187628-3372436214
                • Opcode ID: d27f38d0979c26c32a5b8fac8d719fc9f13846c24cc4043cab1153bb1e0d1d2b
                • Instruction ID: ec5e845b567763446fb0dd414ec88c4646abb4a9c4199d8becd769a722832c44
                • Opcode Fuzzy Hash: d27f38d0979c26c32a5b8fac8d719fc9f13846c24cc4043cab1153bb1e0d1d2b
                • Instruction Fuzzy Hash: D871C131904249DFCF258F65CC84AEA3BB5FF4A324F14426AED55DA2A6C731C882DF60
                Function 00921A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00921A50
                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00921A7C
                • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00921ABE
                • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00921AD3
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00921AE0
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00921B10
                • InternetCloseHandle.WININET(00000000), ref: 00921B57
                  • Part of subcall function 00922483: GetLastError.KERNEL32(?,?,00921817,00000000,00000000,00000001), ref: 00922498
                  • Part of subcall function 00922483: SetEvent.KERNEL32(?,?,00921817,00000000,00000000,00000001), ref: 009224AD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                • String ID:
                • API String ID: 2603140658-3916222277
                • Opcode ID: 1e55a8e539e73c3b59ea37472a88c32638e0c7f22173475e17fc5cb1d459b2a7
                • Instruction ID: 77fa0a5a87ed44dc88a34eab5edb3487084eba90dbc0570d0b3c4add90243e67
                • Opcode Fuzzy Hash: 1e55a8e539e73c3b59ea37472a88c32638e0c7f22173475e17fc5cb1d459b2a7
                • Instruction Fuzzy Hash: 5641D1B1901228BFEB119F50DC99FFB7BACFF18354F00412AF9059A158E7749E549BA0
                Function 00928C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0093F910), ref: 00928D28
                • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0093F910), ref: 00928D5C
                • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00928ED6
                • SysFreeString.OLEAUT32(?), ref: 00928F00
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Free$FileLibraryModuleNamePathQueryStringType
                • String ID:
                • API String ID: 560350794-0
                • Opcode ID: b606dc0c5400afab5e6ee8078638f944462dbb60b0028bcf8a23ad29c881c358
                • Instruction ID: 3116bd934483fdd22d932ffd88660fbbaf59fcc481515b633c2228ad2a6529ef
                • Opcode Fuzzy Hash: b606dc0c5400afab5e6ee8078638f944462dbb60b0028bcf8a23ad29c881c358
                • Instruction Fuzzy Hash: 6CF12971A00219AFCF14EF94D888EAEB7B9FF49314F108458F905AB255DB31AE45CB90
                Function 0092F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0092F6B5
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0092F848
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0092F86C
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0092F8AC
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0092F8CE
                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0092FA4A
                • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0092FA7C
                • CloseHandle.KERNEL32(?), ref: 0092FAAB
                • CloseHandle.KERNEL32(?), ref: 0092FB22
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                • String ID:
                • API String ID: 4090791747-0
                • Opcode ID: 4163cb63631bd77c4bbe611ed62a099f4782ceb912aff1bdd575f1740606179f
                • Instruction ID: a121c37ef3d901e2d0968fb4ff54ab3c2fc060406218b1bd425c17ce0d9846cc
                • Opcode Fuzzy Hash: 4163cb63631bd77c4bbe611ed62a099f4782ceb912aff1bdd575f1740606179f
                • Instruction Fuzzy Hash: 9CE19C316042109FCB14EF28D8A1B6ABBF5FF85354F14896DF9898B2A2DB31DC45CB52
                Function 00914CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0091466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00913697,?), ref: 0091468B
                  • Part of subcall function 0091466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00913697,?), ref: 009146A4
                  • Part of subcall function 00914A31: GetFileAttributesW.KERNEL32(?,0091370B), ref: 00914A32
                • lstrcmpiW.KERNEL32(?,?), ref: 00914D40
                • _wcscmp.LIBCMT ref: 00914D5A
                • MoveFileW.KERNEL32(?,?), ref: 00914D75
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                • String ID:
                • API String ID: 793581249-0
                • Opcode ID: 91b674118269b45dad1111b399efc8d12564e106328ffe6b256fe836bfa9999b
                • Instruction ID: afbccd5638efb571b63c50a42324281dddc1ffacb7ea4707c9979b07ffef7203
                • Opcode Fuzzy Hash: 91b674118269b45dad1111b399efc8d12564e106328ffe6b256fe836bfa9999b
                • Instruction Fuzzy Hash: 785142B25083499BC724EB64D8819DFB3ECEF88350F40092FF289D3151EE35A589CB66
                Function 00938645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                Download Yara Rule
                APIs
                • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009386FF
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: InvalidateRect
                • String ID:
                • API String ID: 634782764-0
                • Opcode ID: 39ab63c0dd0d8f3627e6aa348c376386af90f4bb88224843ee26be6db82e4a65
                • Instruction ID: 1ef9e2a5644acf91216153dd4c1be48f085823b6b72cef3038c959b99f0da091
                • Opcode Fuzzy Hash: 39ab63c0dd0d8f3627e6aa348c376386af90f4bb88224843ee26be6db82e4a65
                • Instruction Fuzzy Hash: E351B270500308BEDF249B28CC8AFAF7BA9FB05354F604615F925E61A1CFB5A980DF41
                Function 008B2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                Download Yara Rule
                APIs
                • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 008EC2F7
                • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008EC319
                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008EC331
                • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 008EC34F
                • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008EC370
                • DestroyIcon.USER32(00000000), ref: 008EC37F
                • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008EC39C
                • DestroyIcon.USER32(?), ref: 008EC3AB
                  • Part of subcall function 0093A4AF: DeleteObject.GDI32(00000000), ref: 0093A4E8
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                • String ID:
                • API String ID: 2819616528-0
                • Opcode ID: 6f9f3dfa29cf7ec7313ffa64da99f90da67ca4cc1ae225ec81f18977789ae812
                • Instruction ID: 4dc57c6356e748a355a6b98b8951701ca81b88bf0c0ed0cff1656ed6aa360229
                • Opcode Fuzzy Hash: 6f9f3dfa29cf7ec7313ffa64da99f90da67ca4cc1ae225ec81f18977789ae812
                • Instruction Fuzzy Hash: 2E516770A10209EFDB24DF65CC55FAA3BA5FB48324F104528F946E73A0DBB0AD91EB50
                Function 0090966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0090A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0090A84C
                  • Part of subcall function 0090A82C: GetCurrentThreadId.KERNEL32 ref: 0090A853
                  • Part of subcall function 0090A82C: AttachThreadInput.USER32(00000000,?,00909683,?,00000001), ref: 0090A85A
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 0090968E
                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009096AB
                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 009096AE
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 009096B7
                • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 009096D5
                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009096D8
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 009096E1
                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 009096F8
                • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 009096FB
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                • String ID:
                • API String ID: 2014098862-0
                • Opcode ID: f3ab30c18972f86501e801812eb5ba6a30f3a16e252743122ba200f566f31fe1
                • Instruction ID: 0001a4dc0f1a3d3432d2bf664d707f0548f66681181726929c86127ab644e47d
                • Opcode Fuzzy Hash: f3ab30c18972f86501e801812eb5ba6a30f3a16e252743122ba200f566f31fe1
                • Instruction Fuzzy Hash: E611E1B1924618BEF7106F60DC8AF6A3B2DEB4C754F100425F644AB0E0C9F35C10EEA4
                Function 00908921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                Download Yara Rule
                APIs
                • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0090853C,00000B00,?,?), ref: 0090892A
                • HeapAlloc.KERNEL32(00000000,?,0090853C,00000B00,?,?), ref: 00908931
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0090853C,00000B00,?,?), ref: 00908946
                • GetCurrentProcess.KERNEL32(?,00000000,?,0090853C,00000B00,?,?), ref: 0090894E
                • DuplicateHandle.KERNEL32(00000000,?,0090853C,00000B00,?,?), ref: 00908951
                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0090853C,00000B00,?,?), ref: 00908961
                • GetCurrentProcess.KERNEL32(0090853C,00000000,?,0090853C,00000B00,?,?), ref: 00908969
                • DuplicateHandle.KERNEL32(00000000,?,0090853C,00000B00,?,?), ref: 0090896C
                • CreateThread.KERNEL32(00000000,00000000,00908992,00000000,00000000,00000000), ref: 00908986
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                • String ID:
                • API String ID: 1957940570-0
                • Opcode ID: 79e2015b5185566ad5fc18b55c1595aa18db313c697f3bda9a3931693cef92b1
                • Instruction ID: 9aaa3f5a06d64425db2a501cf3577425c59f603b9d9fc498d1d929eab2746dcf
                • Opcode Fuzzy Hash: 79e2015b5185566ad5fc18b55c1595aa18db313c697f3bda9a3931693cef92b1
                • Instruction Fuzzy Hash: 7201BF75654304FFE710ABA5EC4DF673BACEB89711F404421FA05DB1A1CA709804DF20
                Function 00929B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID: NULL Pointer assignment$Not an Object type
                • API String ID: 0-572801152
                • Opcode ID: 207b2934493e664d2807f47ce5d1c7c802b79435a17e7d9a5ad6873ae41d0342
                • Instruction ID: 3a2fbea8c8ff93929d17ee786567616598967f9ad18f0fbfef12254a847b24d7
                • Opcode Fuzzy Hash: 207b2934493e664d2807f47ce5d1c7c802b79435a17e7d9a5ad6873ae41d0342
                • Instruction Fuzzy Hash: 8DC1A671A0022A9FDF10DF98E884BAEB7F9FF48314F158469F945A7284E7709D44CB90
                Function 00929113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Variant$ClearInit$_memset
                • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                • API String ID: 2862541840-625585964
                • Opcode ID: 76cbdfc836f99732548268a08e526faa71759fc8d7ee45ed691116e32c347b6b
                • Instruction ID: 342aadd2351deec34d12ea0207ef7fac18ea1eb09d65dd490ffe48a431bf2521
                • Opcode Fuzzy Hash: 76cbdfc836f99732548268a08e526faa71759fc8d7ee45ed691116e32c347b6b
                • Instruction Fuzzy Hash: C591AE71E00229EBDF20DFA5E848FAEB7B8EF85714F108559F515AB284D7709904CFA0
                Function 0092975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0090710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00907044,80070057,?,?,?,00907455), ref: 00907127
                  • Part of subcall function 0090710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00907044,80070057,?,?), ref: 00907142
                  • Part of subcall function 0090710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00907044,80070057,?,?), ref: 00907150
                  • Part of subcall function 0090710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00907044,80070057,?), ref: 00907160
                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00929806
                • _memset.LIBCMT ref: 00929813
                • _memset.LIBCMT ref: 00929956
                • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00929982
                • CoTaskMemFree.OLE32(?), ref: 0092998D
                Strings
                • NULL Pointer assignment, xrefs: 009299DB
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                • String ID: NULL Pointer assignment
                • API String ID: 1300414916-2785691316
                • Opcode ID: f5880686bcdb2342a2bf7bc79451fc19f249a000408eb1ce393eb8feecfcbf53
                • Instruction ID: 39683195248aa6752313379c3e5036a810267c7093ed16d3c0be681cd4e97ea1
                • Opcode Fuzzy Hash: f5880686bcdb2342a2bf7bc79451fc19f249a000408eb1ce393eb8feecfcbf53
                • Instruction Fuzzy Hash: 70911571D00229EBDB10DFA5D841ADEBBB9FF48360F10415AF419A7291DB719A44CFA1
                Function 00936D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00936E24
                • SendMessageW.USER32(?,00001036,00000000,?), ref: 00936E38
                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00936E52
                • _wcscat.LIBCMT ref: 00936EAD
                • SendMessageW.USER32(?,00001057,00000000,?), ref: 00936EC4
                • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00936EF2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$Window_wcscat
                • String ID: SysListView32
                • API String ID: 307300125-78025650
                • Opcode ID: b776f384cd2d685f6c8c63a0c113f0f1422d082574f4494a132e52b1d9731cac
                • Instruction ID: 5f3af6114f5df77d87a2eaf43a65216850b60e61a0aba8d34a079f5e9a406abb
                • Opcode Fuzzy Hash: b776f384cd2d685f6c8c63a0c113f0f1422d082574f4494a132e52b1d9731cac
                • Instruction Fuzzy Hash: 83419171A00348BFEB219F64CC85BEEB7E9EF08354F10452AF594E7291D6729D948F60
                Function 0092E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00913C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00913C7A
                  • Part of subcall function 00913C55: Process32FirstW.KERNEL32(00000000,?), ref: 00913C88
                  • Part of subcall function 00913C55: CloseHandle.KERNEL32(00000000), ref: 00913D52
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0092E9A4
                • GetLastError.KERNEL32 ref: 0092E9B7
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0092E9E6
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0092EA63
                • GetLastError.KERNEL32(00000000), ref: 0092EA6E
                • CloseHandle.KERNEL32(00000000), ref: 0092EAA3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                • String ID: SeDebugPrivilege
                • API String ID: 2533919879-2896544425
                • Opcode ID: 1707368c027112c273c9a24f1b50476f1210e2a9afe5b9c9e4d76ee0331de8fc
                • Instruction ID: 04cfbc6a1c24a1886cd35377b86a72c15120b0fe0b49f78611b99cfbc9ce2e80
                • Opcode Fuzzy Hash: 1707368c027112c273c9a24f1b50476f1210e2a9afe5b9c9e4d76ee0331de8fc
                • Instruction Fuzzy Hash: 2441AB316042119FDB10EF18DCE5FAEB7A5BF85314F148418FA469B3D6CB74A848CB92
                Function 00912F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(00000000,00007F03), ref: 00913033
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: IconLoad
                • String ID: blank$info$question$stop$warning
                • API String ID: 2457776203-404129466
                • Opcode ID: b9944b83f67eea8d119dab5c0ef522e451163c7bf7fd6ebb0953bd7a2629009d
                • Instruction ID: 7bf8f3ea02f987de41200904f858163b70c9a4d96e9d146ff756fa0ed32fa5e3
                • Opcode Fuzzy Hash: b9944b83f67eea8d119dab5c0ef522e451163c7bf7fd6ebb0953bd7a2629009d
                • Instruction Fuzzy Hash: 61112B3174838ABED7149B18DC42CEB7BECDF2D364B10416AF901A6282DF755F8056A1
                Function 009142F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00914312
                • LoadStringW.USER32(00000000), ref: 00914319
                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0091432F
                • LoadStringW.USER32(00000000), ref: 00914336
                • _wprintf.LIBCMT ref: 0091435C
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0091437A
                Strings
                • %s (%d) : ==> %s: %s %s, xrefs: 00914357
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message_wprintf
                • String ID: %s (%d) : ==> %s: %s %s
                • API String ID: 3648134473-3128320259
                • Opcode ID: a4d1bd066384525633e8fe8e68229602ff0e70e55a0fc3170aa62d22988c7748
                • Instruction ID: 7aed696cf9f762fbf4255f4a037ffadc47a26e2ab777d089d5af6592d464601c
                • Opcode Fuzzy Hash: a4d1bd066384525633e8fe8e68229602ff0e70e55a0fc3170aa62d22988c7748
                • Instruction Fuzzy Hash: 86014FF290820CBFE71197A4DE89EE677ACEB08301F4005A1B749E6051EA745E855F71
                Function 0093D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B2612: GetWindowLongW.USER32(?,000000EB), ref: 008B2623
                • GetSystemMetrics.USER32(0000000F), ref: 0093D47C
                • GetSystemMetrics.USER32(0000000F), ref: 0093D49C
                • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0093D6D7
                • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0093D6F5
                • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0093D716
                • ShowWindow.USER32(00000003,00000000), ref: 0093D735
                • InvalidateRect.USER32(?,00000000,00000001), ref: 0093D75A
                • DefDlgProcW.USER32(?,00000005,?,?), ref: 0093D77D
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                • String ID:
                • API String ID: 1211466189-0
                • Opcode ID: 9f722ffc56724bc3e4b74c9afec864443a76a792f57a47bba60ef77f5054d58d
                • Instruction ID: 8cce99f01d9f18ea95e0bbc7a57b4ec3d8d80ab03ff26dffb1ccacce127604a1
                • Opcode Fuzzy Hash: 9f722ffc56724bc3e4b74c9afec864443a76a792f57a47bba60ef77f5054d58d
                • Instruction Fuzzy Hash: 7BB1CA71A01219EBDF14CF28D9A97AD7BB5FF04704F088069EC599B299D734AA40CF90
                Function 008B2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008EC1C7,00000004,00000000,00000000,00000000), ref: 008B2ACF
                • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,008EC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 008B2B17
                • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,008EC1C7,00000004,00000000,00000000,00000000), ref: 008EC21A
                • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008EC1C7,00000004,00000000,00000000,00000000), ref: 008EC286
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ShowWindow
                • String ID:
                • API String ID: 1268545403-0
                • Opcode ID: a8d68c1d49fb0ae303ac3f593cf70bd6a01a91bc33bd505885c962a7618f3615
                • Instruction ID: 05cfc0285ac35a8859578b94e730e47f89c47d3b4c52b89da192a9cdfda203d8
                • Opcode Fuzzy Hash: a8d68c1d49fb0ae303ac3f593cf70bd6a01a91bc33bd505885c962a7618f3615
                • Instruction Fuzzy Hash: C9414A31A186C4DBC7359B298C8DBEF7B92FB46314F24981DE157C27A0C675A842D711
                Function 009170C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,000001F5), ref: 009170DD
                  • Part of subcall function 008D0DB6: std::exception::exception.LIBCMT ref: 008D0DEC
                  • Part of subcall function 008D0DB6: __CxxThrowException@8.LIBCMT ref: 008D0E01
                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00917114
                • EnterCriticalSection.KERNEL32(?), ref: 00917130
                • _memmove.LIBCMT ref: 0091717E
                • _memmove.LIBCMT ref: 0091719B
                • LeaveCriticalSection.KERNEL32(?), ref: 009171AA
                • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009171BF
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 009171DE
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                • String ID:
                • API String ID: 256516436-0
                • Opcode ID: 10e61a3559e42b0655884fdfc1cbe50b3554eb20cb038892df09f8497a933e2b
                • Instruction ID: 0b4d34f8f931f9d4640411b707c4a4118b35c649596003034386f63bba9b8127
                • Opcode Fuzzy Hash: 10e61a3559e42b0655884fdfc1cbe50b3554eb20cb038892df09f8497a933e2b
                • Instruction Fuzzy Hash: 8D316C31A04205EBCB00DFA8DC85AAFB7B8FF45710F1441AAE904EA256DB709A54DBA1
                Function 009361D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 009361EB
                • GetDC.USER32(00000000), ref: 009361F3
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009361FE
                • ReleaseDC.USER32(00000000,00000000), ref: 0093620A
                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00936246
                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00936257
                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0093902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00936291
                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009362B1
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                • String ID:
                • API String ID: 3864802216-0
                • Opcode ID: 7545e3c0acc66190ef59a198a06fde2e440f6b3ec1f13e7cd96ecbd2dba200e7
                • Instruction ID: 98b57e15e2b122a9e2e8db3577c4a044260c2ce1660c217add67f965e328ca27
                • Opcode Fuzzy Hash: 7545e3c0acc66190ef59a198a06fde2e440f6b3ec1f13e7cd96ecbd2dba200e7
                • Instruction Fuzzy Hash: 52317A72214214BFEF108F54CC8AFAB3BADEF4A765F054065FE08DA291C6B59C41CB60
                Function 0090BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: 00f125b20bab732d40fa149341c673f1e118f949fe378fdb97a218ce627b0c89
                • Instruction ID: 1eeb786ce6883e0886f1747b3d3d2aa82a5ef86cf9e6f1d1dc3ae00052f1e477
                • Opcode Fuzzy Hash: 00f125b20bab732d40fa149341c673f1e118f949fe378fdb97a218ce627b0c89
                • Instruction Fuzzy Hash: 7D21D1616012167FFA0467199D82FBB739EFE5535CF084421FD04966C3FB28DE1182AA
                Function 0091EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                  • Part of subcall function 008CFC86: _wcscpy.LIBCMT ref: 008CFCA9
                • _wcstok.LIBCMT ref: 0091EC94
                • _wcscpy.LIBCMT ref: 0091ED23
                • _memset.LIBCMT ref: 0091ED56
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                • String ID: X
                • API String ID: 774024439-3081909835
                • Opcode ID: 8d1b1b60c2cb71a9a99f1ebeb4fbfaba0912b6f0dc1c846fb7be37d137365a62
                • Instruction ID: 12c1d957e0b0165b697fcf79f8bac694dec8a5610f3e864c6aa9981cee2572e8
                • Opcode Fuzzy Hash: 8d1b1b60c2cb71a9a99f1ebeb4fbfaba0912b6f0dc1c846fb7be37d137365a62
                • Instruction Fuzzy Hash: EEC12A716083059FC754EF28D885AAAB7E4FF85310F04492DF999DB3A2DB30E845CB82
                Function 00926B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                Download Yara Rule
                APIs
                • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00926C00
                • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00926C21
                • WSAGetLastError.WSOCK32(00000000), ref: 00926C34
                • htons.WSOCK32(?,?,?,00000000,?), ref: 00926CEA
                • inet_ntoa.WSOCK32(?), ref: 00926CA7
                  • Part of subcall function 0090A7E9: _strlen.LIBCMT ref: 0090A7F3
                  • Part of subcall function 0090A7E9: _memmove.LIBCMT ref: 0090A815
                • _strlen.LIBCMT ref: 00926D44
                • _memmove.LIBCMT ref: 00926DAD
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                • String ID:
                • API String ID: 3619996494-0
                • Opcode ID: e5f1668e838a77ee6057b5fb6b85601b85ce1868cb2e486f97b9c4ef3d948738
                • Instruction ID: 2f19266e59fef657c0c17dea096d80755a73b8ad6707b1e8bec1f3449e961547
                • Opcode Fuzzy Hash: e5f1668e838a77ee6057b5fb6b85601b85ce1868cb2e486f97b9c4ef3d948738
                • Instruction Fuzzy Hash: 5581C172608314ABC710EB28DC92FAAB7A8EF84714F14491DF555DB2E2DB70ED05CB92
                Function 008B1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7764b5399ef295864b344de8e56f4d1509943932c1866e27923a5e30d7bebb66
                • Instruction ID: cb09626505b909713066269a61514d2045b60ba33e279c91a16185fba3151f81
                • Opcode Fuzzy Hash: 7764b5399ef295864b344de8e56f4d1509943932c1866e27923a5e30d7bebb66
                • Instruction Fuzzy Hash: D6714630904109EFCF148F98CC98AEFBB79FF86314F548159E915EA261C734AA51CBA4
                Function 0093B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(014CDFA8), ref: 0093B3EB
                • IsWindowEnabled.USER32(014CDFA8), ref: 0093B3F7
                • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0093B4DB
                • SendMessageW.USER32(014CDFA8,000000B0,?,?), ref: 0093B512
                • IsDlgButtonChecked.USER32(?,?), ref: 0093B54F
                • GetWindowLongW.USER32(014CDFA8,000000EC), ref: 0093B571
                • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0093B589
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                • String ID:
                • API String ID: 4072528602-0
                • Opcode ID: 8b37df204397ea16ef52e39cc9a7c821186452fe96d628fa051a3c8d08ee5210
                • Instruction ID: cd0d67b34366bf530be26b59c811b62d7da3901beba0d6db3d8848a394c41348
                • Opcode Fuzzy Hash: 8b37df204397ea16ef52e39cc9a7c821186452fe96d628fa051a3c8d08ee5210
                • Instruction Fuzzy Hash: 9A719B34A05204AFDB24DF64C8A9FBABBF9EF49300F148059FA85972B2C771A940DF54
                Function 0092F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0092F448
                • _memset.LIBCMT ref: 0092F511
                • ShellExecuteExW.SHELL32(?), ref: 0092F556
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                  • Part of subcall function 008CFC86: _wcscpy.LIBCMT ref: 008CFCA9
                • GetProcessId.KERNEL32(00000000), ref: 0092F5CD
                • CloseHandle.KERNEL32(00000000), ref: 0092F5FC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                • String ID: @
                • API String ID: 3522835683-2766056989
                • Opcode ID: 97f6c30fe6254d1101cf2ef796652e04fb04dc53cdcb7b0cd12cb96cd707732c
                • Instruction ID: b0673a4675b0f38c35e1364e18b94651927c1f8892807d4a420c2c7fec42420e
                • Opcode Fuzzy Hash: 97f6c30fe6254d1101cf2ef796652e04fb04dc53cdcb7b0cd12cb96cd707732c
                • Instruction Fuzzy Hash: 9F61C071A00629DFCB04EF68D8959AEBBF5FF49310F148069E859AB361CB30AD41CF81
                Function 00910F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 00910F8C
                • GetKeyboardState.USER32(?), ref: 00910FA1
                • SetKeyboardState.USER32(?), ref: 00911002
                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00911030
                • PostMessageW.USER32(?,00000101,00000011,?), ref: 0091104F
                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00911095
                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 009110B8
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: 3723692f617c68047c95f47b171e376d3e4d26c3f10dc85b91196a9f026072f0
                • Instruction ID: 0789f3ec3cca4bb0bc6dac36dbb81b61bc9a822666029349ea893c62b4f6aee2
                • Opcode Fuzzy Hash: 3723692f617c68047c95f47b171e376d3e4d26c3f10dc85b91196a9f026072f0
                • Instruction Fuzzy Hash: DB511560B187D93DFB3646348C16BF6BEAD5B4A304F088989E2D4858D3C2E9ECC5D751
                Function 00910D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(00000000), ref: 00910DA5
                • GetKeyboardState.USER32(?), ref: 00910DBA
                • SetKeyboardState.USER32(?), ref: 00910E1B
                • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00910E47
                • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00910E64
                • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00910EA8
                • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00910EC9
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: c9e338647765f1a7ddbc135440a463ca9f29b42ee36439ac6eaa776a353b0956
                • Instruction ID: ce6ab8a142a134b1ae510f4dd4bd7a4da66482516e02e7bc680faa477d61cc86
                • Opcode Fuzzy Hash: c9e338647765f1a7ddbc135440a463ca9f29b42ee36439ac6eaa776a353b0956
                • Instruction Fuzzy Hash: 8451E5A07087D97DFB3243658C55BFA7EAD6B86300F088889F1D5468C2C3D6ACD4D750
                Function 009155FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _wcsncpy$LocalTime
                • String ID:
                • API String ID: 2945705084-0
                • Opcode ID: 7efc95956ccec11d3439fd8706c658265e8a2264f7b4dbc757250e4d137c727d
                • Instruction ID: 826716aed0cbdf575cb5d85f96226f5a31de1213651e78ed76d543094723d2e4
                • Opcode Fuzzy Hash: 7efc95956ccec11d3439fd8706c658265e8a2264f7b4dbc757250e4d137c727d
                • Instruction Fuzzy Hash: A541A365D10618B6CB11EBB88C469CFB3B8EF44310F518A57E518E3221EA35A685CBE7
                Function 00913671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0091466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00913697,?), ref: 0091468B
                  • Part of subcall function 0091466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00913697,?), ref: 009146A4
                • lstrcmpiW.KERNEL32(?,?), ref: 009136B7
                • _wcscmp.LIBCMT ref: 009136D3
                • MoveFileW.KERNEL32(?,?), ref: 009136EB
                • _wcscat.LIBCMT ref: 00913733
                • SHFileOperationW.SHELL32(?), ref: 0091379F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                • String ID: \*.*
                • API String ID: 1377345388-1173974218
                • Opcode ID: 682ce16ee305ea5a009e0303af67129842edb75d1f5a9f4eb8d77654ae78f442
                • Instruction ID: 23fb17e36732826074f98ca9e15eb777e90fd5d4d6a6653dee28012f2235e790
                • Opcode Fuzzy Hash: 682ce16ee305ea5a009e0303af67129842edb75d1f5a9f4eb8d77654ae78f442
                • Instruction Fuzzy Hash: A241AF71608348AAD751EF64D452ADFB7FCEF88380F00492EF099C3251EA34D689CB52
                Function 00937291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 009372AA
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00937351
                • IsMenu.USER32(?), ref: 00937369
                • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009373B1
                • DrawMenuBar.USER32 ref: 009373C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Menu$Item$DrawInfoInsert_memset
                • String ID: 0
                • API String ID: 3866635326-4108050209
                • Opcode ID: 2ad0db4fa76f1e63c0b64ff24eca74947f38687bf19da494a97cf344aed5e35d
                • Instruction ID: 4f32f674f0f422bf9d846dd7405bb3a57be5e787bd1a0f2b673b10c953da1a41
                • Opcode Fuzzy Hash: 2ad0db4fa76f1e63c0b64ff24eca74947f38687bf19da494a97cf344aed5e35d
                • Instruction Fuzzy Hash: 234127B5A05209EFDB20DF94E884EAABBF9FB09310F148529FD55A7260D730AD50EF50
                Function 00930FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                Download Yara Rule
                APIs
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00930FD4
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00930FFE
                • FreeLibrary.KERNEL32(00000000), ref: 009310B5
                  • Part of subcall function 00930FA5: RegCloseKey.ADVAPI32(?), ref: 0093101B
                  • Part of subcall function 00930FA5: FreeLibrary.KERNEL32(?), ref: 0093106D
                  • Part of subcall function 00930FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00931090
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00931058
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: EnumFreeLibrary$CloseDeleteOpen
                • String ID:
                • API String ID: 395352322-0
                • Opcode ID: 7b8d4cbce975fef8688b30912660e3afd1a15fe653cd2cd9c3908ca8ab59b090
                • Instruction ID: 8eec256e1a1529ebdc73292ba2241c822b7a9da4be99263cc9afbf78f2915462
                • Opcode Fuzzy Hash: 7b8d4cbce975fef8688b30912660e3afd1a15fe653cd2cd9c3908ca8ab59b090
                • Instruction Fuzzy Hash: BF310A71D15109BFDB199FA4DC99AFFB7BCEF08300F00016AE511A2151EB749E859EA1
                Function 009362CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009362EC
                • GetWindowLongW.USER32(014CDFA8,000000F0), ref: 0093631F
                • GetWindowLongW.USER32(014CDFA8,000000F0), ref: 00936354
                • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00936386
                • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009363B0
                • GetWindowLongW.USER32(00000000,000000F0), ref: 009363C1
                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009363DB
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: LongWindow$MessageSend
                • String ID:
                • API String ID: 2178440468-0
                • Opcode ID: 304a7e0378ffbb83b9b3283b84d4977bed923bbe646cf6188359661cacbc07a4
                • Instruction ID: abd12eb5756039c07a883bf4e8dd5cbea687ec93d66335b9d68a520e933918ee
                • Opcode Fuzzy Hash: 304a7e0378ffbb83b9b3283b84d4977bed923bbe646cf6188359661cacbc07a4
                • Instruction Fuzzy Hash: DB310231A58155AFDB20CF18DC85F593BE5FB4A714F2981A8F5058F2B1CBB1A880EF51
                Function 0090DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0090DB2E
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0090DB54
                • SysAllocString.OLEAUT32(00000000), ref: 0090DB57
                • SysAllocString.OLEAUT32(?), ref: 0090DB75
                • SysFreeString.OLEAUT32(?), ref: 0090DB7E
                • StringFromGUID2.OLE32(?,?,00000028), ref: 0090DBA3
                • SysAllocString.OLEAUT32(?), ref: 0090DBB1
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                • String ID:
                • API String ID: 3761583154-0
                • Opcode ID: 7ca8558d9bce525947ec05bcb42a14c8cd359451976f0ca3327442f76d18c4f9
                • Instruction ID: 9f20b935d574018e2ceb63fe41c55dfcbb199bebdd19bcb931a0aae94943efb5
                • Opcode Fuzzy Hash: 7ca8558d9bce525947ec05bcb42a14c8cd359451976f0ca3327442f76d18c4f9
                • Instruction Fuzzy Hash: F2219236605219AFDF10DFE8DC88CBB77ADEB09360B018535FA14DB2A0D674DC459B64
                Function 00926173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00927D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00927DB6
                • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009261C6
                • WSAGetLastError.WSOCK32(00000000), ref: 009261D5
                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0092620E
                • connect.WSOCK32(00000000,?,00000010), ref: 00926217
                • WSAGetLastError.WSOCK32 ref: 00926221
                • closesocket.WSOCK32(00000000), ref: 0092624A
                • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00926263
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                • String ID:
                • API String ID: 910771015-0
                • Opcode ID: 5fec1712bce322fec442cd1147455c044b27548c411088f01dc30d29af6386e7
                • Instruction ID: 12e0f8174230ea5e5fc4e1dc33e1c27040759ca86544d8eef693a2c9a40d0327
                • Opcode Fuzzy Hash: 5fec1712bce322fec442cd1147455c044b27548c411088f01dc30d29af6386e7
                • Instruction Fuzzy Hash: A6319E31604128ABDF10AF64DC85BBA7BACEB45720F044029F956E7296CB74AC049BA2
                Function 0090F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __wcsnicmp
                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                • API String ID: 1038674560-2734436370
                • Opcode ID: 28ff7cca6668e9d9ced9a747fd7cb1753dec58a44a053fda6c85979dec9ff3f9
                • Instruction ID: 6a3a96f0e9e016006bb78f3cfe3001de41a8ab8ce02efea5951b50c8731fc903
                • Opcode Fuzzy Hash: 28ff7cca6668e9d9ced9a747fd7cb1753dec58a44a053fda6c85979dec9ff3f9
                • Instruction Fuzzy Hash: 32216773204511AED630A738AC22FB7739CFF55304F10453AF841C66D1EB959E52C297
                Function 0090DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                Download Yara Rule
                APIs
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0090DC09
                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0090DC2F
                • SysAllocString.OLEAUT32(00000000), ref: 0090DC32
                • SysAllocString.OLEAUT32 ref: 0090DC53
                • SysFreeString.OLEAUT32 ref: 0090DC5C
                • StringFromGUID2.OLE32(?,?,00000028), ref: 0090DC76
                • SysAllocString.OLEAUT32(?), ref: 0090DC84
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                • String ID:
                • API String ID: 3761583154-0
                • Opcode ID: 54bd0b775e42a9c3c05b781c3c81fa78339101308349a9e9211f21030d327bfa
                • Instruction ID: d7a9f4faec811dea9e8ef312de2a37551431826ffab6ba7426334789a95c19de
                • Opcode Fuzzy Hash: 54bd0b775e42a9c3c05b781c3c81fa78339101308349a9e9211f21030d327bfa
                • Instruction Fuzzy Hash: E1218336609214AFEB14DFF8DC88DAB77ECEB08360B108125F954CB2A0DAB4DD41DB64
                Function 009375CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008B1D73
                  • Part of subcall function 008B1D35: GetStockObject.GDI32(00000011), ref: 008B1D87
                  • Part of subcall function 008B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008B1D91
                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00937632
                • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0093763F
                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0093764A
                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00937659
                • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00937665
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$CreateObjectStockWindow
                • String ID: Msctls_Progress32
                • API String ID: 1025951953-3636473452
                • Opcode ID: 8d87e296d702702a63a89c4fa2337f91439a8d72e1b2df4c9a378f5ab1b551dc
                • Instruction ID: 8f793a55bb48d3a1f355483d16710e1f41ce9e20c4243869d0efa2fcde2f47f7
                • Opcode Fuzzy Hash: 8d87e296d702702a63a89c4fa2337f91439a8d72e1b2df4c9a378f5ab1b551dc
                • Instruction Fuzzy Hash: E111B6B2150219BFEF158F64CC86EEBBF5DEF08798F014114B704A6050C6729C21DBA4
                Function 008D9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                Download Yara Rule
                APIs
                • __init_pointers.LIBCMT ref: 008D9AE6
                  • Part of subcall function 008D3187: EncodePointer.KERNEL32(00000000), ref: 008D318A
                  • Part of subcall function 008D3187: __initp_misc_winsig.LIBCMT ref: 008D31A5
                  • Part of subcall function 008D3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 008D9EA0
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 008D9EB4
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 008D9EC7
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 008D9EDA
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 008D9EED
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 008D9F00
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 008D9F13
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 008D9F26
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 008D9F39
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 008D9F4C
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 008D9F5F
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 008D9F72
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 008D9F85
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 008D9F98
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 008D9FAB
                  • Part of subcall function 008D3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 008D9FBE
                • __mtinitlocks.LIBCMT ref: 008D9AEB
                • __mtterm.LIBCMT ref: 008D9AF4
                  • Part of subcall function 008D9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,008D9AF9,008D7CD0,0096A0B8,00000014), ref: 008D9C56
                  • Part of subcall function 008D9B5C: _free.LIBCMT ref: 008D9C5D
                  • Part of subcall function 008D9B5C: DeleteCriticalSection.KERNEL32(0096EC00,?,?,008D9AF9,008D7CD0,0096A0B8,00000014), ref: 008D9C7F
                • __calloc_crt.LIBCMT ref: 008D9B19
                • __initptd.LIBCMT ref: 008D9B3B
                • GetCurrentThreadId.KERNEL32 ref: 008D9B42
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                • String ID:
                • API String ID: 3567560977-0
                • Opcode ID: 385b1e36290b7142e075ad0556675f36b98dbea980970abbebbc4b28190d9626
                • Instruction ID: 2ed073186536e20003fdad8164eba3cfaa0d7f7b37583e09ca765f4ed51e70ca
                • Opcode Fuzzy Hash: 385b1e36290b7142e075ad0556675f36b98dbea980970abbebbc4b28190d9626
                • Instruction Fuzzy Hash: B6F06D32519722AAE664BA7CBC0365A2791FF02730B210B2BF4E4C53D2FE60884155A2
                Function 008D406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008D3F85), ref: 008D4085
                • GetProcAddress.KERNEL32(00000000), ref: 008D408C
                • EncodePointer.KERNEL32(00000000), ref: 008D4097
                • DecodePointer.KERNEL32(008D3F85), ref: 008D40B2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                • String ID: RoUninitialize$combase.dll
                • API String ID: 3489934621-2819208100
                • Opcode ID: 90f527274ac145debdc762bca490754ac32eba688dd9733d3ea7258d9e85032b
                • Instruction ID: 693252d1384ea8677a9aa187dcffc53492669e9904d521108a1d945dcdc936c9
                • Opcode Fuzzy Hash: 90f527274ac145debdc762bca490754ac32eba688dd9733d3ea7258d9e85032b
                • Instruction Fuzzy Hash: 95E09271AAD600EBEB50AF61EC19B053BA4B704B87F908125F115E61A0CBB64644BF15
                Function 008B1DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32(?,?), ref: 008B1DDC
                • GetWindowRect.USER32(?,?), ref: 008B1E1D
                • ScreenToClient.USER32(?,?), ref: 008B1E45
                • GetClientRect.USER32(?,?), ref: 008B1F74
                • GetWindowRect.USER32(?,?), ref: 008B1F8D
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Rect$Client$Window$Screen
                • String ID:
                • API String ID: 1296646539-0
                • Opcode ID: a578e73794db0ca9e04355c14d284fbf83f159ccc7b02621c16229e0270a8dee
                • Instruction ID: cd1c33b054b1ae9214810d7a1605a4a3c710fc488dd82718d2647ef57aebe78b
                • Opcode Fuzzy Hash: a578e73794db0ca9e04355c14d284fbf83f159ccc7b02621c16229e0270a8dee
                • Instruction Fuzzy Hash: 3AB13579A0024ADBDF10CFA9C5947EAB7B1FF08314F548169EC99EB354DB30AA50CB54
                Function 009164B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memmove$__itow__swprintf
                • String ID:
                • API String ID: 3253778849-0
                • Opcode ID: 448254e0949c07d16a0f673e8df4957746ed55f0cae072f6d9ea880876eb2e4a
                • Instruction ID: 54dc49f058a0d48215eb49e77ff0908411fb28ae55abf317245573d6daa92c58
                • Opcode Fuzzy Hash: 448254e0949c07d16a0f673e8df4957746ed55f0cae072f6d9ea880876eb2e4a
                • Instruction Fuzzy Hash: 39617D30A0425A9BCF01EF68CC81AFE37A9FF45308F054969F9599B292DB34D945CB52
                Function 009301E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                  • Part of subcall function 00930E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092FDAD,?,?), ref: 00930E31
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009302BD
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009302FD
                • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00930320
                • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00930349
                • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0093038C
                • RegCloseKey.ADVAPI32(00000000), ref: 00930399
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                • String ID:
                • API String ID: 4046560759-0
                • Opcode ID: 5304156c91be2608e0cfb70e257cefbc79a26388160ea5036d798d300840e778
                • Instruction ID: ae409538caf65eb68f60a665bcb3855ec56b299a60b58653d93b13db41e29ea3
                • Opcode Fuzzy Hash: 5304156c91be2608e0cfb70e257cefbc79a26388160ea5036d798d300840e778
                • Instruction Fuzzy Hash: 63512631208205AFC714EF68C895EAEBBE9FF89314F04492DF595872A2DB31E905DF52
                Function 00935799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                Download Yara Rule
                APIs
                • GetMenu.USER32(?), ref: 009357FB
                • GetMenuItemCount.USER32(00000000), ref: 00935832
                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0093585A
                • GetMenuItemID.USER32(?,?), ref: 009358C9
                • GetSubMenu.USER32(?,?), ref: 009358D7
                • PostMessageW.USER32(?,00000111,?,00000000), ref: 00935928
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Menu$Item$CountMessagePostString
                • String ID:
                • API String ID: 650687236-0
                • Opcode ID: f83db93b0d22de8332628cdffe66483a8a20a97830474086a9c25ad456a91d1a
                • Instruction ID: a347dc837b518b9ec4b6cb36e56586e84d40cf7e99b77854fea3d913da54a4ef
                • Opcode Fuzzy Hash: f83db93b0d22de8332628cdffe66483a8a20a97830474086a9c25ad456a91d1a
                • Instruction Fuzzy Hash: BC516935E00619EFCF11EF68C845AAEBBB5FF48320F114469E842AB351CB74AE419F91
                Function 0090EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 0090EF06
                • VariantClear.OLEAUT32(00000013), ref: 0090EF78
                • VariantClear.OLEAUT32(00000000), ref: 0090EFD3
                • _memmove.LIBCMT ref: 0090EFFD
                • VariantClear.OLEAUT32(?), ref: 0090F04A
                • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0090F078
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Variant$Clear$ChangeInitType_memmove
                • String ID:
                • API String ID: 1101466143-0
                • Opcode ID: aef7a7f388b1dc482127e74a0ed57fba0c09c355e7c834ccef61afae949d53aa
                • Instruction ID: 183ac90c7d568af2efd8fa7e108fc093980df83d9b8b727f222a0ea2dc5ae397
                • Opcode Fuzzy Hash: aef7a7f388b1dc482127e74a0ed57fba0c09c355e7c834ccef61afae949d53aa
                • Instruction Fuzzy Hash: 03516CB5A00209DFCB24CF58C894AAAB7B8FF4C314B158569E959DB341E335EA11CFA0
                Function 0091220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00912258
                • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009122A3
                • IsMenu.USER32(00000000), ref: 009122C3
                • CreatePopupMenu.USER32 ref: 009122F7
                • GetMenuItemCount.USER32(000000FF), ref: 00912355
                • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00912386
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                • String ID:
                • API String ID: 3311875123-0
                • Opcode ID: 61e546917ea49a34da0dff43b3729208b676a2e9362637ae70baa164366af958
                • Instruction ID: e6a129d514cd5ea538bfa989920045f576b916aa4167640befdf446045e6660d
                • Opcode Fuzzy Hash: 61e546917ea49a34da0dff43b3729208b676a2e9362637ae70baa164366af958
                • Instruction Fuzzy Hash: 3451B130B0420DDFDF25EF64C888BEDBBF9AF45714F104529E82197290D37599A6CB51
                Function 008B1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B2612: GetWindowLongW.USER32(?,000000EB), ref: 008B2623
                • BeginPaint.USER32(?,?,?,?,?,?), ref: 008B179A
                • GetWindowRect.USER32(?,?), ref: 008B17FE
                • ScreenToClient.USER32(?,?), ref: 008B181B
                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008B182C
                • EndPaint.USER32(?,?), ref: 008B1876
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: PaintWindow$BeginClientLongRectScreenViewport
                • String ID:
                • API String ID: 1827037458-0
                • Opcode ID: 61917ff858bffadd425e3ac24923a56d110c915481308ccc9582df95959535e1
                • Instruction ID: b3ff5fe629be4d6483bc7be6701b2baa8d25eb9e90726423cd37039ce8e70624
                • Opcode Fuzzy Hash: 61917ff858bffadd425e3ac24923a56d110c915481308ccc9582df95959535e1
                • Instruction Fuzzy Hash: F2418F31514604AFDB10DF25C898BAA7BE8FB4A724F144639F5A8CA2B1C7709845DB62
                Function 0093B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(009757B0,00000000,014CDFA8,?,?,009757B0,?,0093B5A8,?,?), ref: 0093B712
                • EnableWindow.USER32(00000000,00000000), ref: 0093B736
                • ShowWindow.USER32(009757B0,00000000,014CDFA8,?,?,009757B0,?,0093B5A8,?,?), ref: 0093B796
                • ShowWindow.USER32(00000000,00000004,?,0093B5A8,?,?), ref: 0093B7A8
                • EnableWindow.USER32(00000000,00000001), ref: 0093B7CC
                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0093B7EF
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$Show$Enable$MessageSend
                • String ID:
                • API String ID: 642888154-0
                • Opcode ID: b4548e75566423ebb6976578d5329e5cbdc3568886f11f452d63ea2b77a2985c
                • Instruction ID: ed96549a2dbc7946cbbf22ce412efc0f454df010ccd2f2214190c6d5f5c44b8c
                • Opcode Fuzzy Hash: b4548e75566423ebb6976578d5329e5cbdc3568886f11f452d63ea2b77a2985c
                • Instruction Fuzzy Hash: 81418334604244AFDB22CF24C49AB947BE5FF45314F1841B9FA4E8FAA2C731A856CF90
                Function 0092709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(?,?,?,?,?,?,00924E41,?,?,00000000,00000001), ref: 009270AC
                  • Part of subcall function 009239A0: GetWindowRect.USER32(?,?), ref: 009239B3
                • GetDesktopWindow.USER32 ref: 009270D6
                • GetWindowRect.USER32(00000000), ref: 009270DD
                • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0092710F
                  • Part of subcall function 00915244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009152BC
                • GetCursorPos.USER32(?), ref: 0092713B
                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00927199
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                • String ID:
                • API String ID: 4137160315-0
                • Opcode ID: 4dc0fa0d9b92c1aa290c347840a37fbc93540e877adeab966857fb6a0b469aa2
                • Instruction ID: adaf557597b163612f2210fc11a4b44c37609a2912762563e059138a11bb8178
                • Opcode Fuzzy Hash: 4dc0fa0d9b92c1aa290c347840a37fbc93540e877adeab966857fb6a0b469aa2
                • Instruction Fuzzy Hash: 1C31D272509319ABD720DF54D849F9BB7EAFFC8314F000919F585A7192C630EA19CB92
                Function 00908879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 009080A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009080C0
                  • Part of subcall function 009080A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009080CA
                  • Part of subcall function 009080A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009080D9
                  • Part of subcall function 009080A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009080E0
                  • Part of subcall function 009080A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009080F6
                • GetLengthSid.ADVAPI32(?,00000000,0090842F), ref: 009088CA
                • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009088D6
                • HeapAlloc.KERNEL32(00000000), ref: 009088DD
                • CopySid.ADVAPI32(00000000,00000000,?), ref: 009088F6
                • GetProcessHeap.KERNEL32(00000000,00000000,0090842F), ref: 0090890A
                • HeapFree.KERNEL32(00000000), ref: 00908911
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                • String ID:
                • API String ID: 3008561057-0
                • Opcode ID: fa3f044f7e05d0874023228c90c70050a27e63ac02317287c4b5e8e7cb47383a
                • Instruction ID: be372bf944f0fc5d318ebf10dc17533674ad9dc82013e759717d127ed9de3471
                • Opcode Fuzzy Hash: fa3f044f7e05d0874023228c90c70050a27e63ac02317287c4b5e8e7cb47383a
                • Instruction Fuzzy Hash: 4C11AC31A25209FFDB14AFA4DC1ABBF7BADEB44311F108028E89597250CB329904EF60
                Function 009085B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009085E2
                • OpenProcessToken.ADVAPI32(00000000), ref: 009085E9
                • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 009085F8
                • CloseHandle.KERNEL32(00000004), ref: 00908603
                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00908632
                • DestroyEnvironmentBlock.USERENV(00000000), ref: 00908646
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                • String ID:
                • API String ID: 1413079979-0
                • Opcode ID: fcd136260c3da6f8f464f7e8e44d7e43a166eaa9bceab340d134c6703b189b91
                • Instruction ID: 5b41f7edee1219a9fc66a1f9e9c1dffda5a846a3a1548281bc090ddbcd2d9288
                • Opcode Fuzzy Hash: fcd136260c3da6f8f464f7e8e44d7e43a166eaa9bceab340d134c6703b189b91
                • Instruction Fuzzy Hash: 5711477260520DAFDF118FA8DD49BEF7BA9EF08344F044065FE05A21A0C7728D64AB60
                Function 0090B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 0090B7B5
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0090B7C6
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0090B7CD
                • ReleaseDC.USER32(00000000,00000000), ref: 0090B7D5
                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0090B7EC
                • MulDiv.KERNEL32(000009EC,?,?), ref: 0090B7FE
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: 516b2c3008f96fc655e5a606a5a20b7081ffcf946c50fa242f7bdcea8855901e
                • Instruction ID: 5012c9b935ed387e603bc5bd87e1cac2240cc96f4dc0e693128a2ff58f65dd99
                • Opcode Fuzzy Hash: 516b2c3008f96fc655e5a606a5a20b7081ffcf946c50fa242f7bdcea8855901e
                • Instruction Fuzzy Hash: E2012175E04219BFEF109BA69D45B5ABFB8EB88761F004065FA04A7291D6709C10DF91
                Function 008D0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                Download Yara Rule
                APIs
                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008D0193
                • MapVirtualKeyW.USER32(00000010,00000000), ref: 008D019B
                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008D01A6
                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008D01B1
                • MapVirtualKeyW.USER32(00000011,00000000), ref: 008D01B9
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 008D01C1
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Virtual
                • String ID:
                • API String ID: 4278518827-0
                • Opcode ID: d8b905cf73258ad923a8c774790b50a15a75fd56f1c754be940cbac01bf6f9b4
                • Instruction ID: daf813c68c6950aa8a4f2fe5c31ac49834499cf35e8bbdf3d90ceed4f00ee2cb
                • Opcode Fuzzy Hash: d8b905cf73258ad923a8c774790b50a15a75fd56f1c754be940cbac01bf6f9b4
                • Instruction Fuzzy Hash: 130148B09017597DE3008F5A8C85A52FEA8FF19354F00411BA15847941C7B5A864CBE5
                Function 009153E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009153F9
                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0091540F
                • GetWindowThreadProcessId.USER32(?,?), ref: 0091541E
                • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0091542D
                • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00915437
                • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0091543E
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                • String ID:
                • API String ID: 839392675-0
                • Opcode ID: f28591762128a5ef2160d325f5c668f53f536988bf77b1895e5e9121ac12c15a
                • Instruction ID: 49d6583778b389e9bd3c604a324f5b73b7c0f3445f5ce2e57fda538ab15ba639
                • Opcode Fuzzy Hash: f28591762128a5ef2160d325f5c668f53f536988bf77b1895e5e9121ac12c15a
                • Instruction Fuzzy Hash: A1F0963165455CBBD3215B92DC0EEEF7B7CEFC6B15F000169F904D1060D7A01A019AB5
                Function 00917230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,?), ref: 00917243
                • EnterCriticalSection.KERNEL32(?,?,008C0EE4,?,?), ref: 00917254
                • TerminateThread.KERNEL32(00000000,000001F6,?,008C0EE4,?,?), ref: 00917261
                • WaitForSingleObject.KERNEL32(00000000,000003E8,?,008C0EE4,?,?), ref: 0091726E
                  • Part of subcall function 00916C35: CloseHandle.KERNEL32(00000000,?,0091727B,?,008C0EE4,?,?), ref: 00916C3F
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 00917281
                • LeaveCriticalSection.KERNEL32(?,?,008C0EE4,?,?), ref: 00917288
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                • String ID:
                • API String ID: 3495660284-0
                • Opcode ID: e1c72250824f57168086143400205a8329d7b7928c335c897a875691f3aebeec
                • Instruction ID: 8f9b08deb1fa6e508934576d0ea0fc195b7c3564e65de8a2362061af77cb2a96
                • Opcode Fuzzy Hash: e1c72250824f57168086143400205a8329d7b7928c335c897a875691f3aebeec
                • Instruction Fuzzy Hash: BAF0E236A58602EBD7111B64ED4CEDB7739FF48302B000531F613900A1CBB61841DF50
                Function 00908992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0090899D
                • UnloadUserProfile.USERENV(?,?), ref: 009089A9
                • CloseHandle.KERNEL32(?), ref: 009089B2
                • CloseHandle.KERNEL32(?), ref: 009089BA
                • GetProcessHeap.KERNEL32(00000000,?), ref: 009089C3
                • HeapFree.KERNEL32(00000000), ref: 009089CA
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                • String ID:
                • API String ID: 146765662-0
                • Opcode ID: 6b7d8d7804f2ab308fd3f64204f9524021c05758a3c85f9634bbe4224d242f17
                • Instruction ID: a17a639f13a9fab907e27c967ae05da535fc06b6c2b0d1c94ae1b67e4b355129
                • Opcode Fuzzy Hash: 6b7d8d7804f2ab308fd3f64204f9524021c05758a3c85f9634bbe4224d242f17
                • Instruction Fuzzy Hash: BBE0C236418401FBDA011FE2EC1CD0ABB69FB89362B108230F21981070CB329424EF50
                Function 009285ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(?), ref: 00928613
                • CharUpperBuffW.USER32(?,?), ref: 00928722
                • VariantClear.OLEAUT32(?), ref: 0092889A
                  • Part of subcall function 00917562: VariantInit.OLEAUT32(00000000), ref: 009175A2
                  • Part of subcall function 00917562: VariantCopy.OLEAUT32(00000000,?), ref: 009175AB
                  • Part of subcall function 00917562: VariantClear.OLEAUT32(00000000), ref: 009175B7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Variant$ClearInit$BuffCharCopyUpper
                • String ID: AUTOIT.ERROR$Incorrect Parameter format
                • API String ID: 4237274167-1221869570
                • Opcode ID: 204ddf6f5957bec42c8800a3f2792b640136b7d3810560d9759b727dfdc1aa7e
                • Instruction ID: 06f55783c9c36efde2cbd11f29a56dabab1399a39c7a549c699d72b399ff6ea3
                • Opcode Fuzzy Hash: 204ddf6f5957bec42c8800a3f2792b640136b7d3810560d9759b727dfdc1aa7e
                • Instruction Fuzzy Hash: 489138716083019FC710DF28D48495BBBE8FF89714F14896EF99A8B365DB31E905CB92
                Function 00912A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008CFC86: _wcscpy.LIBCMT ref: 008CFCA9
                • _memset.LIBCMT ref: 00912B87
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00912BB6
                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00912C69
                • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00912C97
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ItemMenu$Info$Default_memset_wcscpy
                • String ID: 0
                • API String ID: 4152858687-4108050209
                • Opcode ID: 3a4d918d7482b2ad05915ca9396fd474626e8cbcbf13961735c66b03823a9099
                • Instruction ID: 8edac8cee8eae914cbe2e1abe777d2b1a3bdb6a872b565671825716150d87ba2
                • Opcode Fuzzy Hash: 3a4d918d7482b2ad05915ca9396fd474626e8cbcbf13961735c66b03823a9099
                • Instruction Fuzzy Hash: 4B51C1717083099FD724AF28D845AAF77E8EF95310F040A6EF9D5D2290DB70CCA49B92
                Function 0090D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                Download Yara Rule
                APIs
                • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0090D5D4
                • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0090D60A
                • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0090D61B
                • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0090D69D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorMode$AddressCreateInstanceProc
                • String ID: DllGetClassObject
                • API String ID: 753597075-1075368562
                • Opcode ID: f38b55344da1f96d6399a83ad33b053c2125c99d2729c72263d9aff685cc63e6
                • Instruction ID: 950905550fa45250d4d97fcd85a336dbe174da7268fee8777efafe3689cd9dca
                • Opcode Fuzzy Hash: f38b55344da1f96d6399a83ad33b053c2125c99d2729c72263d9aff685cc63e6
                • Instruction Fuzzy Hash: D541A2B1601204EFDF15CF94C884B9ABBB9EF44314F1585A9EC099F285D7B2DE44DBA0
                Function 00912753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 009127C0
                • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 009127DC
                • DeleteMenu.USER32(?,00000007,00000000), ref: 00912822
                • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00975890,00000000), ref: 0091286B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Menu$Delete$InfoItem_memset
                • String ID: 0
                • API String ID: 1173514356-4108050209
                • Opcode ID: 11cbb1859c792bec5d7b696b1a37d20614e707eb6df1648752574a1b51d0ce7b
                • Instruction ID: 7adf913cac1256359597298a9a1eb1283eb89a94d3e884984bf46d744a0db291
                • Opcode Fuzzy Hash: 11cbb1859c792bec5d7b696b1a37d20614e707eb6df1648752574a1b51d0ce7b
                • Instruction Fuzzy Hash: A741CF702083059FDB24EF24C844BAABBE8EFC5310F044A6DF9A5972D1D730E855CB52
                Function 0092D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0092D7C5
                  • Part of subcall function 008B784B: _memmove.LIBCMT ref: 008B7899
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: BuffCharLower_memmove
                • String ID: cdecl$none$stdcall$winapi
                • API String ID: 3425801089-567219261
                • Opcode ID: a026c4951490108a9f6add3ae9813ea6a8c816c9a1a1371428570e333b48e66f
                • Instruction ID: 2691efd22c17da6639505d1ad9272eb8db5fc835e86bc9ac76f1a13685bdf1b2
                • Opcode Fuzzy Hash: a026c4951490108a9f6add3ae9813ea6a8c816c9a1a1371428570e333b48e66f
                • Instruction Fuzzy Hash: 3131AF71A04629AFCF10EF58D851AEEB7B8FF44320B10862AE825D77D5DB31A905CB80
                Function 00908E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                  • Part of subcall function 0090AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0090AABC
                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00908F14
                • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00908F27
                • SendMessageW.USER32(?,00000189,?,00000000), ref: 00908F57
                  • Part of subcall function 008B7BCC: _memmove.LIBCMT ref: 008B7C06
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$_memmove$ClassName
                • String ID: ComboBox$ListBox
                • API String ID: 365058703-1403004172
                • Opcode ID: 27e35963c77032860cdbb6c513cc0d3bcc97db031783cbcd55d5ce75dbee8a2a
                • Instruction ID: 67d92c5bdc522f67fec56feaf01b7998f8c4738a428b640d8b79cc326362c384
                • Opcode Fuzzy Hash: 27e35963c77032860cdbb6c513cc0d3bcc97db031783cbcd55d5ce75dbee8a2a
                • Instruction Fuzzy Hash: CA212371A04209BEDB14ABB4CC86DFFBB69EF85364F044629F561972E0DF390C0ADA50
                Function 0092182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0092184C
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00921872
                • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009218A2
                • InternetCloseHandle.WININET(00000000), ref: 009218E9
                  • Part of subcall function 00922483: GetLastError.KERNEL32(?,?,00921817,00000000,00000000,00000001), ref: 00922498
                  • Part of subcall function 00922483: SetEvent.KERNEL32(?,?,00921817,00000000,00000000,00000001), ref: 009224AD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                • String ID:
                • API String ID: 3113390036-3916222277
                • Opcode ID: a51e42607795c4f8d6c2e59acfbf9729b87200a5aa896f9d086f72a5705d45fe
                • Instruction ID: 0b9b2dc38fe02c5ed4764f4fa3a36bb3572a39bc30b65f1410207821ef52ec8d
                • Opcode Fuzzy Hash: a51e42607795c4f8d6c2e59acfbf9729b87200a5aa896f9d086f72a5705d45fe
                • Instruction Fuzzy Hash: 7E21F2B1500318BFEB11AF60ECC5EBF77EDEB99744F10412AF405D6244EB258D1467A1
                Function 009363E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008B1D73
                  • Part of subcall function 008B1D35: GetStockObject.GDI32(00000011), ref: 008B1D87
                  • Part of subcall function 008B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008B1D91
                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00936461
                • LoadLibraryW.KERNEL32(?), ref: 00936468
                • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0093647D
                • DestroyWindow.USER32(?), ref: 00936485
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                • String ID: SysAnimate32
                • API String ID: 4146253029-1011021900
                • Opcode ID: 9975101e7c015ae02403545dbf9d5482e1b9e35632f1afaff52d23feafd210f5
                • Instruction ID: 1898ce78b56fdab02a30bf37dbc1a7cbb632b88054f9c99f62998a143222d3ae
                • Opcode Fuzzy Hash: 9975101e7c015ae02403545dbf9d5482e1b9e35632f1afaff52d23feafd210f5
                • Instruction Fuzzy Hash: 15219D71A10205BFEF104F64EC98EBB77ADEF59368F108629FA10961A0D771DC41AB60
                Function 00916D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(0000000C), ref: 00916DBC
                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00916DEF
                • GetStdHandle.KERNEL32(0000000C), ref: 00916E01
                • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00916E3B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CreateHandle$FilePipe
                • String ID: nul
                • API String ID: 4209266947-2873401336
                • Opcode ID: 7c82cbdfab0d9dc43b92cfc17459b8462b45d87da7a18a5b4e870d2ce062ec17
                • Instruction ID: 769f1e2481d06946cc12eb00c09cda4872a30ef2057cade6267c4b86db888b55
                • Opcode Fuzzy Hash: 7c82cbdfab0d9dc43b92cfc17459b8462b45d87da7a18a5b4e870d2ce062ec17
                • Instruction Fuzzy Hash: 07214F79B0020DABDB209F29EC05BDA7BB8EF94720F204A19F9A1D72D0D77099949B50
                Function 00916E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 00916E89
                • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00916EBB
                • GetStdHandle.KERNEL32(000000F6), ref: 00916ECC
                • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00916F06
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CreateHandle$FilePipe
                • String ID: nul
                • API String ID: 4209266947-2873401336
                • Opcode ID: 9c8d04dd07ed0f681dda9e3140ba788984ede0c332889e04c1e817ed9653050c
                • Instruction ID: 1486cca88d6abc0e596c4e49be8b978c1246a8af0f9d2d54053f042ed842def9
                • Opcode Fuzzy Hash: 9c8d04dd07ed0f681dda9e3140ba788984ede0c332889e04c1e817ed9653050c
                • Instruction Fuzzy Hash: C9216079B003199BDB209F69DC04AEA77A8AF55720F200B19FDA1D72D0D770A8A1CB50
                Function 0091AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0091AC54
                • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0091ACA8
                • __swprintf.LIBCMT ref: 0091ACC1
                • SetErrorMode.KERNEL32(00000000,00000001,00000000,0093F910), ref: 0091ACFF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume__swprintf
                • String ID: %lu
                • API String ID: 3164766367-685833217
                • Opcode ID: 8b5df4a1cd1a9afa6240a4852acbdeda21f6b829e9ca3803cde9dbeb9919137b
                • Instruction ID: 2f6664da7684ea36fbea9300e466b3e4cecc3db455e67c6b09fffdb157232fbe
                • Opcode Fuzzy Hash: 8b5df4a1cd1a9afa6240a4852acbdeda21f6b829e9ca3803cde9dbeb9919137b
                • Instruction Fuzzy Hash: 22213234A00109AFCB10DF69D945EEE7BB8FF89714B004469F509DB351DB31EA41DB62
                Function 00911AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • CharUpperBuffW.USER32(?,?), ref: 00911B19
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: BuffCharUpper
                • String ID: APPEND$EXISTS$KEYS$REMOVE
                • API String ID: 3964851224-769500911
                • Opcode ID: dc21b7ba442880c0dff34a515f797497a10f1b24f4f09d1e12d1e1184ea9e1c3
                • Instruction ID: 322ebe58a8135f9fc0414d5c5cf06e3fb44e8b7a0146e74a8acfcf90c46ae4e1
                • Opcode Fuzzy Hash: dc21b7ba442880c0dff34a515f797497a10f1b24f4f09d1e12d1e1184ea9e1c3
                • Instruction Fuzzy Hash: 90118E30A442189FCF00EF58D8519EEB7B4FF25304F5045A5E815A7391EB329D06CF41
                Function 0092EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                Download Yara Rule
                APIs
                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0092EC07
                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0092EC37
                • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0092ED6A
                • CloseHandle.KERNEL32(?), ref: 0092EDEB
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Process$CloseCountersHandleInfoMemoryOpen
                • String ID:
                • API String ID: 2364364464-0
                • Opcode ID: dd734ce3298e4f81727b0462faaade1a3388e07567c10a47b6794019ba40f4f8
                • Instruction ID: acc46a8f45cb41b7204398a183371073a933ce56045cfca8eee1fab2621584e7
                • Opcode Fuzzy Hash: dd734ce3298e4f81727b0462faaade1a3388e07567c10a47b6794019ba40f4f8
                • Instruction Fuzzy Hash: 6F815D716043119FD760EF28D886B6AB7E9EF44710F14882DFA99DB3D2D670AC44CB92
                Function 00930037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                  • Part of subcall function 00930E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0092FDAD,?,?), ref: 00930E31
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009300FD
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0093013C
                • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00930183
                • RegCloseKey.ADVAPI32(?,?), ref: 009301AF
                • RegCloseKey.ADVAPI32(00000000), ref: 009301BC
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                • String ID:
                • API String ID: 3440857362-0
                • Opcode ID: a151eafbacd0cad3c3001473b33b18d77de794dc517cdf9f73f96f8064061427
                • Instruction ID: 086fd5eecb73416f6f06e561e661b44489063bd005218b3d499eadabcfa5f6a5
                • Opcode Fuzzy Hash: a151eafbacd0cad3c3001473b33b18d77de794dc517cdf9f73f96f8064061427
                • Instruction Fuzzy Hash: 08512871618204AFD714EF68C891FAAB7E9FF84314F44492DF596872A2DB31E904CF52
                Function 0092D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0092D927
                • GetProcAddress.KERNEL32(00000000,?), ref: 0092D9AA
                • GetProcAddress.KERNEL32(00000000,00000000), ref: 0092D9C6
                • GetProcAddress.KERNEL32(00000000,?), ref: 0092DA07
                • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0092DA21
                  • Part of subcall function 008B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00917896,?,?,00000000), ref: 008B5A2C
                  • Part of subcall function 008B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00917896,?,?,00000000,?,?), ref: 008B5A50
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                • String ID:
                • API String ID: 327935632-0
                • Opcode ID: 23614ae37b6a4c319acb1ecad78cacf51c3b3bee065c5a344377dd8706ad2afb
                • Instruction ID: 588cb64374514ce9ec743e7e524867ab71ed00af661888183ed7a030c487a250
                • Opcode Fuzzy Hash: 23614ae37b6a4c319acb1ecad78cacf51c3b3bee065c5a344377dd8706ad2afb
                • Instruction Fuzzy Hash: 71512735A05219DFCB00EFA8D484AADB7F9FF09320B048065E959AB322D730ED45CF91
                Function 0091E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                Download Yara Rule
                APIs
                • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0091E61F
                • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0091E648
                • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0091E687
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0091E6AC
                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0091E6B4
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                • String ID:
                • API String ID: 1389676194-0
                • Opcode ID: 38a729fc1b6ff2e02791d8c6aedf34a83bf06e92ed098794c00eabfc7d1f0453
                • Instruction ID: 98cae86b3f3005d7947bb0f51bb2782c4d0a216e72572f60d4cdcaa360d65f7a
                • Opcode Fuzzy Hash: 38a729fc1b6ff2e02791d8c6aedf34a83bf06e92ed098794c00eabfc7d1f0453
                • Instruction Fuzzy Hash: 0551F935A00109DFCB01EF68C981AAEBBF5FF09314B1480A9E959AB362CB31ED51DF51
                Function 0093A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b3feb29b9cb84e2d46a18346486f0e892badd981e618df98386c38253920b329
                • Instruction ID: bc1d16df1f57e581f4f9f14bd64786621ccb78e29b5637617e783ec25faf925d
                • Opcode Fuzzy Hash: b3feb29b9cb84e2d46a18346486f0e892badd981e618df98386c38253920b329
                • Instruction Fuzzy Hash: EC41E636D0C104AFD724DFA8CC59FE9BBA8EB09320F150565F896A72E1C7709D41EE51
                Function 008B2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 008B2357
                • ScreenToClient.USER32(009757B0,?), ref: 008B2374
                • GetAsyncKeyState.USER32(00000001), ref: 008B2399
                • GetAsyncKeyState.USER32(00000002), ref: 008B23A7
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AsyncState$ClientCursorScreen
                • String ID:
                • API String ID: 4210589936-0
                • Opcode ID: 1e7c033affa1ca0c45d70cd2629a6671472295c3b0feffa8b32f91a162e0fa90
                • Instruction ID: c78318da06324f2ff22687b108bd2821c4ee4a939b4d9c873a2bf68947a9ea39
                • Opcode Fuzzy Hash: 1e7c033affa1ca0c45d70cd2629a6671472295c3b0feffa8b32f91a162e0fa90
                • Instruction Fuzzy Hash: 5E416235908509FBCF159F69C844AE9BBB4FB0A364F204355F829D23A0C7349954DF91
                Function 009063AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                Download Yara Rule
                APIs
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009063E7
                • TranslateAcceleratorW.USER32(?,?,?), ref: 00906433
                • TranslateMessage.USER32(?), ref: 0090645C
                • DispatchMessageW.USER32(?), ref: 00906466
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00906475
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Message$PeekTranslate$AcceleratorDispatch
                • String ID:
                • API String ID: 2108273632-0
                • Opcode ID: 9faa0c18fbd55ac4363d870e4ce65d699aaf4243061c7900fd396ed1d75dc299
                • Instruction ID: ac0257276c9c31ce89923b85c702a83252a109b8453127e0fbffe6a4c823c2f2
                • Opcode Fuzzy Hash: 9faa0c18fbd55ac4363d870e4ce65d699aaf4243061c7900fd396ed1d75dc299
                • Instruction Fuzzy Hash: 1B310632914646AFDB64CFB4CC44BB67BFCAB01310F150169E429C31F1E775A8A9EBA1
                Function 00908A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00908A30
                • PostMessageW.USER32(?,00000201,00000001), ref: 00908ADA
                • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00908AE2
                • PostMessageW.USER32(?,00000202,00000000), ref: 00908AF0
                • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00908AF8
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessagePostSleep$RectWindow
                • String ID:
                • API String ID: 3382505437-0
                • Opcode ID: 9d52231450a1b5472144ea88e8c5e4d215cf7d450010d6c262907cb7282eb9f4
                • Instruction ID: 107ca15d5895b808e2b3245773069dfd0a97e68dcc5a9998538ff8ca6a5f0b94
                • Opcode Fuzzy Hash: 9d52231450a1b5472144ea88e8c5e4d215cf7d450010d6c262907cb7282eb9f4
                • Instruction Fuzzy Hash: AE31E071A00219EFDF14CFA8D94DA9F3BB9EB04315F10822AF965E61D0C7B09914DB90
                Function 0090B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                • IsWindowVisible.USER32(?), ref: 0090B204
                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0090B221
                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0090B259
                • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0090B27F
                • _wcsstr.LIBCMT ref: 0090B289
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                • String ID:
                • API String ID: 3902887630-0
                • Opcode ID: 81969a05e546f96fe10bbf11ffa69ea30a6f03bf5522b4983ac38c5bb8490bd2
                • Instruction ID: 07d5d4f23ee6efb86949f97c97d1a92a325e656c245156eefc5162af69609ccc
                • Opcode Fuzzy Hash: 81969a05e546f96fe10bbf11ffa69ea30a6f03bf5522b4983ac38c5bb8490bd2
                • Instruction Fuzzy Hash: BD210732604204BFEB155B7D9C09E7F7B9CDF59720F00413AF804DA1A1EF65DC40A661
                Function 0093B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B2612: GetWindowLongW.USER32(?,000000EB), ref: 008B2623
                • GetWindowLongW.USER32(?,000000F0), ref: 0093B192
                • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0093B1B7
                • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0093B1CF
                • GetSystemMetrics.USER32(00000004), ref: 0093B1F8
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00920E90,00000000), ref: 0093B216
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$Long$MetricsSystem
                • String ID:
                • API String ID: 2294984445-0
                • Opcode ID: 5eb3cab1ab0b67c42ea13243ec22db7e80a25e1d45195375fbd943357b09baa4
                • Instruction ID: e758eee4550970ddff2a7ae16e396c1eb6488029a0d1ec5269acd3bffeb5e3fe
                • Opcode Fuzzy Hash: 5eb3cab1ab0b67c42ea13243ec22db7e80a25e1d45195375fbd943357b09baa4
                • Instruction Fuzzy Hash: DB219172A28655AFCB109F78DC18A6A37A8FB15321F114B28FA36D71E0E73098509F90
                Function 00909307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00909320
                  • Part of subcall function 008B7BCC: _memmove.LIBCMT ref: 008B7C06
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00909352
                • __itow.LIBCMT ref: 0090936A
                • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00909392
                • __itow.LIBCMT ref: 009093A3
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$__itow$_memmove
                • String ID:
                • API String ID: 2983881199-0
                • Opcode ID: 13adfe873273dd3b85413c9a2c7bbabf7c78361585b2e8d288f3e5b8fe01623a
                • Instruction ID: c4cadfaab07cd27a4da957d7da978ffe81454b7c650386cf4f014601cacf5ffa
                • Opcode Fuzzy Hash: 13adfe873273dd3b85413c9a2c7bbabf7c78361585b2e8d288f3e5b8fe01623a
                • Instruction Fuzzy Hash: 3621D731B05208AFDB10AB649C86EEF7BADEB89714F044029F905D72D2D6B08D459B92
                Function 00925A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(00000000), ref: 00925A6E
                • GetForegroundWindow.USER32 ref: 00925A85
                • GetDC.USER32(00000000), ref: 00925AC1
                • GetPixel.GDI32(00000000,?,00000003), ref: 00925ACD
                • ReleaseDC.USER32(00000000,00000003), ref: 00925B08
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$ForegroundPixelRelease
                • String ID:
                • API String ID: 4156661090-0
                • Opcode ID: df5b926df52d1f8203b160d8664f4e2e4d24bd26da11af2f37cfb1790d70ebc9
                • Instruction ID: 67704c3ecb77feab230af9f97050f2e87702e6c2d3ec02f249a7b14e37fd9f61
                • Opcode Fuzzy Hash: df5b926df52d1f8203b160d8664f4e2e4d24bd26da11af2f37cfb1790d70ebc9
                • Instruction Fuzzy Hash: A521A135A04118AFDB00EF68DC89A9ABBF5EF48310F148479F849D7362CA30AD40DB90
                Function 008B12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                Download Yara Rule
                APIs
                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008B134D
                • SelectObject.GDI32(?,00000000), ref: 008B135C
                • BeginPath.GDI32(?), ref: 008B1373
                • SelectObject.GDI32(?,00000000), ref: 008B139C
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ObjectSelect$BeginCreatePath
                • String ID:
                • API String ID: 3225163088-0
                • Opcode ID: 5cc9310f256a8c4a807b4b06eab9591e6bec606fbc7849cc28c5430a36e33b09
                • Instruction ID: a83cbac61ebfe67429b80645fa5e27f4010d9bd1dcd4fe3a43206b1604e8016d
                • Opcode Fuzzy Hash: 5cc9310f256a8c4a807b4b06eab9591e6bec606fbc7849cc28c5430a36e33b09
                • Instruction Fuzzy Hash: 0421A131C28608EBDF108F59DC587E97BE8FB04325F584225F414DA2B1E7B48891EF41
                Function 0090BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memcmp
                • String ID:
                • API String ID: 2931989736-0
                • Opcode ID: 25333cb1273fa3bbe40520a60bd3bb867e7ec46786001df4e232fcd899f87578
                • Instruction ID: 3b59d8f6a54c90bc17efe4518d25173b03ecbf85aab5d59740a039e54ed21e5e
                • Opcode Fuzzy Hash: 25333cb1273fa3bbe40520a60bd3bb867e7ec46786001df4e232fcd899f87578
                • Instruction Fuzzy Hash: 5301B5B16001197FE6046B19AD82FBBB75EFE6539CF084425FD45963C3EB50DE1082A5
                Function 00914A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 00914ABA
                • __beginthreadex.LIBCMT ref: 00914AD8
                • MessageBoxW.USER32(?,?,?,?), ref: 00914AED
                • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00914B03
                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00914B0A
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                • String ID:
                • API String ID: 3824534824-0
                • Opcode ID: 03f3857e35b68e84ec10a0d2a200d76a69420db92ebe8ca831cbf107dac9cb59
                • Instruction ID: f0c49495e9c0f804a44ce86c3c29e0186410d7f8a55a087bbaf998b68116a451
                • Opcode Fuzzy Hash: 03f3857e35b68e84ec10a0d2a200d76a69420db92ebe8ca831cbf107dac9cb59
                • Instruction Fuzzy Hash: 7F110C76E1C608BBD7009FA8AC04ADF7FACEB49320F154269F824D3351E671CD449BA1
                Function 00908202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                Download Yara Rule
                APIs
                • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0090821E
                • GetLastError.KERNEL32(?,00907CE2,?,?,?), ref: 00908228
                • GetProcessHeap.KERNEL32(00000008,?,?,00907CE2,?,?,?), ref: 00908237
                • HeapAlloc.KERNEL32(00000000,?,00907CE2,?,?,?), ref: 0090823E
                • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00908255
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                • String ID:
                • API String ID: 842720411-0
                • Opcode ID: 5fd3805c94e416248c6cca2379420b52dbc3fef344c013ec8167ace9c61b58e1
                • Instruction ID: 5d9a09f7662b0fc3b0d3b4ca30aeacb99bc2ae39d485c18ef0dad4364e2e0215
                • Opcode Fuzzy Hash: 5fd3805c94e416248c6cca2379420b52dbc3fef344c013ec8167ace9c61b58e1
                • Instruction Fuzzy Hash: FA0162B1714604FFDB104FAADC58D677BACEF857947500429F859C2160DA318C10DE60
                Function 0090710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                Download Yara Rule
                APIs
                • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00907044,80070057,?,?,?,00907455), ref: 00907127
                • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00907044,80070057,?,?), ref: 00907142
                • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00907044,80070057,?,?), ref: 00907150
                • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00907044,80070057,?), ref: 00907160
                • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00907044,80070057,?,?), ref: 0090716C
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: From$Prog$FreeStringTasklstrcmpi
                • String ID:
                • API String ID: 3897988419-0
                • Opcode ID: f5e00b8449e9fdf7ca594f9ceb33c12081d8f2f88f24d56997c9b5a247ae4c95
                • Instruction ID: aa4b108f90e61a74b805afe7a96e28645ba4b88ef9ef76ae317b4b6d1e76af96
                • Opcode Fuzzy Hash: f5e00b8449e9fdf7ca594f9ceb33c12081d8f2f88f24d56997c9b5a247ae4c95
                • Instruction Fuzzy Hash: AE017C76A19208BFDB114FA4DC44AAABBBDEB447A1F140065FD05D22A0D731ED41EBA0
                Function 00915244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00915260
                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0091526E
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00915276
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00915280
                • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009152BC
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: PerformanceQuery$CounterSleep$Frequency
                • String ID:
                • API String ID: 2833360925-0
                • Opcode ID: d88d55aebc28e3c66169669dd8f8cbb04dc8387ca902841337392b3df13c3c3d
                • Instruction ID: f337d612832d44f1137762804d1d7f15bce0fd94e69ba17ec6d022887028c738
                • Opcode Fuzzy Hash: d88d55aebc28e3c66169669dd8f8cbb04dc8387ca902841337392b3df13c3c3d
                • Instruction Fuzzy Hash: 4801AD32E19A1DDBCF00DFE4E8495EDBB78FB49311F020856E965F2140CB3059949BA1
                Function 0090810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                Download Yara Rule
                APIs
                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00908121
                • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0090812B
                • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0090813A
                • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00908141
                • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00908157
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: HeapInformationToken$AllocErrorLastProcess
                • String ID:
                • API String ID: 44706859-0
                • Opcode ID: be343460049e324855f1be56ffc89acc8eaf25ec09ccc6ab54f4756cfeb40d67
                • Instruction ID: 2398646c9f0c31efe02e76d4d6ee268174384d3abf542723cfe881aaec118f53
                • Opcode Fuzzy Hash: be343460049e324855f1be56ffc89acc8eaf25ec09ccc6ab54f4756cfeb40d67
                • Instruction Fuzzy Hash: 84F062B1718304BFEB510FA5EC98E673BACFF49B54B000025F985C61A0CB61DD55EE60
                Function 0090C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,000003E9), ref: 0090C1F7
                • GetWindowTextW.USER32(00000000,?,00000100), ref: 0090C20E
                • MessageBeep.USER32(00000000), ref: 0090C226
                • KillTimer.USER32(?,0000040A), ref: 0090C242
                • EndDialog.USER32(?,00000001), ref: 0090C25C
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: BeepDialogItemKillMessageTextTimerWindow
                • String ID:
                • API String ID: 3741023627-0
                • Opcode ID: 6c9e00b8959952ee39e71c5fee47438eee837518912106a46d508fb6348f447e
                • Instruction ID: 25b56af5e4a6098af47d393dbc58872d8766aa6cd1128468ead80e012bf16473
                • Opcode Fuzzy Hash: 6c9e00b8959952ee39e71c5fee47438eee837518912106a46d508fb6348f447e
                • Instruction Fuzzy Hash: 0B016270918708ABEB205B68ED5EB9677B8FF00B06F000669B552A18E1DBE4A9549F90
                Function 008B13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                Download Yara Rule
                APIs
                • EndPath.GDI32(?), ref: 008B13BF
                • StrokeAndFillPath.GDI32(?,?,008EB888,00000000,?), ref: 008B13DB
                • SelectObject.GDI32(?,00000000), ref: 008B13EE
                • DeleteObject.GDI32 ref: 008B1401
                • StrokePath.GDI32(?), ref: 008B141C
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Path$ObjectStroke$DeleteFillSelect
                • String ID:
                • API String ID: 2625713937-0
                • Opcode ID: ca38c5ed4f7cb3a49d30ab1f9b22045cee23032308c015d0e28a56d3bc03640e
                • Instruction ID: 0b8c453c782abd91ec8afb7d28f72b4fbe40e98578647dee2a6865fcd2dc0edb
                • Opcode Fuzzy Hash: ca38c5ed4f7cb3a49d30ab1f9b22045cee23032308c015d0e28a56d3bc03640e
                • Instruction Fuzzy Hash: FBF06932428A08EBDB554F2AEC5C7983FA5F701326F088224E429881F2C37048A1EF11
                Function 008C2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008D0DB6: std::exception::exception.LIBCMT ref: 008D0DEC
                  • Part of subcall function 008D0DB6: __CxxThrowException@8.LIBCMT ref: 008D0E01
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                  • Part of subcall function 008B7A51: _memmove.LIBCMT ref: 008B7AAB
                • __swprintf.LIBCMT ref: 008C2ECD
                Strings
                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 008C2D66
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                • API String ID: 1943609520-557222456
                • Opcode ID: 36850627f1f9574e87a3ff784d85b40c928cca5a4a365960cfb738ecd092662b
                • Instruction ID: b803a32332b55a5aced92eac2b103536ed02867021aa147f44c518bb41a4301e
                • Opcode Fuzzy Hash: 36850627f1f9574e87a3ff784d85b40c928cca5a4a365960cfb738ecd092662b
                • Instruction Fuzzy Hash: 3E9138711083159BCB14EF28C895EAEB7B4FF95710F044A1EF595DB2A2EA30ED44CB52
                Function 0091B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008B4743,?,?,008B37AE,?), ref: 008B4770
                • CoInitialize.OLE32(00000000), ref: 0091B9BB
                • CoCreateInstance.OLE32(00942D6C,00000000,00000001,00942BDC,?), ref: 0091B9D4
                • CoUninitialize.OLE32 ref: 0091B9F1
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                • String ID: .lnk
                • API String ID: 2126378814-24824748
                • Opcode ID: 1700adaf1aa077ede748ce2408a000f302249b4098714b1a206e2ee563f6f169
                • Instruction ID: bfb68166271044626234967b92d86d497c0ee4d806212e6872a3d3fe4931f383
                • Opcode Fuzzy Hash: 1700adaf1aa077ede748ce2408a000f302249b4098714b1a206e2ee563f6f169
                • Instruction Fuzzy Hash: D0A137756083059FC704DF18C484DAABBE6FF89314F148998F9999B3A1CB31ED45CB92
                Function 008D501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                Download Yara Rule
                APIs
                • __startOneArgErrorHandling.LIBCMT ref: 008D50AD
                  • Part of subcall function 008E00F0: __87except.LIBCMT ref: 008E012B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorHandling__87except__start
                • String ID: pow
                • API String ID: 2905807303-2276729525
                • Opcode ID: 0030c0e27eb8f01c354caca2e3110d3b9a2dcde54107a8ab5b67682da79e513c
                • Instruction ID: 58f4679bd1f1c37894eba4d0f0dfa21d4b8a3f43f58c315d5c7f2086c3184c52
                • Opcode Fuzzy Hash: 0030c0e27eb8f01c354caca2e3110d3b9a2dcde54107a8ab5b67682da79e513c
                • Instruction Fuzzy Hash: 1A51AB2191CA4686DB117769C84137E7BD4FB43700F248E5BE4D5CA3A9EFB48DC4AE82
                Function 008C6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memset$_memmove
                • String ID: ERCP
                • API String ID: 2532777613-1384759551
                • Opcode ID: b8d05e9720a84ae7b8e5013e5d65a8fa1bebbba38a39a1474936f4ea128c9593
                • Instruction ID: 75bcf8c9c66e27c6e9092ae70b0f4fe5f4f87fdb5dd68ffe1f0c09713394127c
                • Opcode Fuzzy Hash: b8d05e9720a84ae7b8e5013e5d65a8fa1bebbba38a39a1474936f4ea128c9593
                • Instruction Fuzzy Hash: 00517B71900709DFDB24CFA9C981BAAB7F9FF44314F20457EE84ACA291E770EA548B51
                Function 009097F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 009114BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00909296,?,?,00000034,00000800,?,00000034), ref: 009114E6
                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0090983F
                  • Part of subcall function 00911487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009092C5,?,?,00000800,?,00001073,00000000,?,?), ref: 009114B1
                  • Part of subcall function 009113DE: GetWindowThreadProcessId.USER32(?,?), ref: 00911409
                  • Part of subcall function 009113DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0090925A,00000034,?,?,00001004,00000000,00000000), ref: 00911419
                  • Part of subcall function 009113DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0090925A,00000034,?,?,00001004,00000000,00000000), ref: 0091142F
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009098AC
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009098F9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                • String ID: @
                • API String ID: 4150878124-2766056989
                • Opcode ID: ab91ad6d7041fbee9aa3d6a1215863434bd9144928826a687313015ec4ecd233
                • Instruction ID: 56a77f123cbefe2f227a857c27b126f8b3422117abf5dd06940535ccca6233b8
                • Opcode Fuzzy Hash: ab91ad6d7041fbee9aa3d6a1215863434bd9144928826a687313015ec4ecd233
                • Instruction Fuzzy Hash: 1C415F76A0121CBFCB10DFA4CD81BDEBBB8EB49700F004099FA55B7191DA706E85CBA1
                Function 00937946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0093F910,00000000,?,?,?,?), ref: 009379DF
                • GetWindowLongW.USER32 ref: 009379FC
                • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00937A0C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$Long
                • String ID: SysTreeView32
                • API String ID: 847901565-1698111956
                • Opcode ID: c7190b48271423d13c9b7f35bcc2c53e8aa67100d9734b0f273c0e3d61dc70a8
                • Instruction ID: b9aece44275011fcf2e2593671cec10c1667c27f5dc83694c7ca5db4eb051e6c
                • Opcode Fuzzy Hash: c7190b48271423d13c9b7f35bcc2c53e8aa67100d9734b0f273c0e3d61dc70a8
                • Instruction Fuzzy Hash: D031DE72208206ABDB218E78CC45BEBB7A9FB49324F204725F875E22E0D730E9509B50
                Function 009373D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00937461
                • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00937475
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00937499
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$Window
                • String ID: SysMonthCal32
                • API String ID: 2326795674-1439706946
                • Opcode ID: 7dc2e430a08a5f1b4a84531df2e119206d1e0a8b59825a56475274a548f687d3
                • Instruction ID: 50e0d272a172cf999b3ca5afc7c239c8c5297d8771d5a39b13962234eba67317
                • Opcode Fuzzy Hash: 7dc2e430a08a5f1b4a84531df2e119206d1e0a8b59825a56475274a548f687d3
                • Instruction Fuzzy Hash: E321B172504218ABDF218FA4CC46FEA7B6AEB48724F110114FE556B1E0DA75BC909BA0
                Function 00937B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00937C4A
                • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00937C58
                • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00937C5F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$DestroyWindow
                • String ID: msctls_updown32
                • API String ID: 4014797782-2298589950
                • Opcode ID: 314a8cc020d1aada889478f61565f0cff8a29617d53b1c0c2df2d920737ed436
                • Instruction ID: 883e2cd94a0ab4c87d91b1918029b81fd5cdac2ae20c90bf09b373652e4f9cab
                • Opcode Fuzzy Hash: 314a8cc020d1aada889478f61565f0cff8a29617d53b1c0c2df2d920737ed436
                • Instruction Fuzzy Hash: D2217AB1604208AFDB20DF68DCC1DA777ECEB5A368B140059FA059B3A1CB71EC419AA1
                Function 00936CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00936D3B
                • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00936D4B
                • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00936D70
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$MoveWindow
                • String ID: Listbox
                • API String ID: 3315199576-2633736733
                • Opcode ID: 57833dd49ded73200c8c388eac53c69466561378a9a5ee71adcdfe54f118819c
                • Instruction ID: 3a6621ccbfb28829cda7623ca152eb38d80d0f89eb3094bc4cb4b1ce36b69c82
                • Opcode Fuzzy Hash: 57833dd49ded73200c8c388eac53c69466561378a9a5ee71adcdfe54f118819c
                • Instruction Fuzzy Hash: 5D219F32614118BFEF118F54DC45FAB3BBEEF89764F01C128FA559B1A0CA71AC519BA0
                Function 0093770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00937772
                • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00937787
                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00937794
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: msctls_trackbar32
                • API String ID: 3850602802-1010561917
                • Opcode ID: e3cf3fc050bc56259a3fb3afe5f4309f5dd0d2ca3c74f1fb59c9d3a033b91f0f
                • Instruction ID: c5a015c22abecc87b63bbb0d2cef7c07b4d9d10df978d709b34737853ccab1d2
                • Opcode Fuzzy Hash: e3cf3fc050bc56259a3fb3afe5f4309f5dd0d2ca3c74f1fb59c9d3a033b91f0f
                • Instruction Fuzzy Hash: C3112372254208BAEF205FA4CC05FEB77ADEF89B54F010128FA46A6190C272E811DF20
                Function 008B4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,008B4BD0,?,008B4DEF,?,009752F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 008B4C11
                • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008B4C23
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                • API String ID: 2574300362-3689287502
                • Opcode ID: a8d89ce38ed196ff8b0de768390b3d0928ca337322c4fbca89eb8975e1d396b0
                • Instruction ID: a99262e597d9ba5658cde92d0970fb695e4cc3648185b4895de703f2d0dbe3d7
                • Opcode Fuzzy Hash: a8d89ce38ed196ff8b0de768390b3d0928ca337322c4fbca89eb8975e1d396b0
                • Instruction Fuzzy Hash: 23D0C230914713CFC7205FB0D82964BBAE5EF09741F018C3A9486C2261E6B0C480CA50
                Function 008B4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,?,008B4B83,?), ref: 008B4C44
                • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008B4C56
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                • API String ID: 2574300362-1355242751
                • Opcode ID: e60cd46a63b45154087b2b5dca6c0ffeb41754c7c2b3916655193add26dfa70a
                • Instruction ID: a560579bcd1bacdce657b8e23de919c0297e892e550b916dcc461e39ffbda4bc
                • Opcode Fuzzy Hash: e60cd46a63b45154087b2b5dca6c0ffeb41754c7c2b3916655193add26dfa70a
                • Instruction Fuzzy Hash: C4D0C730928713CFCB208F71E82A64ABBE4EF11740F11883AA896C6260E670E880CA50
                Function 00930DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(advapi32.dll,?,00931039), ref: 00930DF5
                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00930E07
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: RegDeleteKeyExW$advapi32.dll
                • API String ID: 2574300362-4033151799
                • Opcode ID: 492d53f1940384812584a882068bef09a3a1cdd7e2df1318f2046780309918bb
                • Instruction ID: 62d7ac1fadbc1092d247ffbfc4607d8265da6f8a1ff90a196c0443a3ee6b9c16
                • Opcode Fuzzy Hash: 492d53f1940384812584a882068bef09a3a1cdd7e2df1318f2046780309918bb
                • Instruction Fuzzy Hash: 80D01770A24723CFD7209FB6D82868776E9AF85356F118C3EA886D2160E6B0D890CE51
                Function 009290E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00928CF4,?,0093F910), ref: 009290EE
                • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00929100
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetModuleHandleExW$kernel32.dll
                • API String ID: 2574300362-199464113
                • Opcode ID: b5c2e97a6a74276d615e50deb62625fabf4b122f9ddf960d6492db688c0bd889
                • Instruction ID: cf384719df4af5db85957211a19623994a1ed9852e26474fa5dd4449468fd9b7
                • Opcode Fuzzy Hash: b5c2e97a6a74276d615e50deb62625fabf4b122f9ddf960d6492db688c0bd889
                • Instruction Fuzzy Hash: 16D0127496C723CFDB209F71E82850776E9AF15355F1188399885D6554E670C480CA90
                Function 008F1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: LocalTime__swprintf
                • String ID: %.3d$WIN_XPe
                • API String ID: 2070861257-2409531811
                • Opcode ID: 775c9077e1ea9030a90d3682961b0979de07eba66761ad53d3b85518651d7e47
                • Instruction ID: bedf38b97df38e1b25a20bfa977926b3f7d5015f4e7e64e5268c6653e584cb33
                • Opcode Fuzzy Hash: 775c9077e1ea9030a90d3682961b0979de07eba66761ad53d3b85518651d7e47
                • Instruction Fuzzy Hash: DED0127184910CEACF00A7A0988CCF9737CF729319F200552B60AD2144E2329754EA21
                Function 0090717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 112dfdd9d0533d0426893d05f7838656639a0d414a81682405a27ab0359ae5f0
                • Instruction ID: 9b459ca9544981f092485ccc9d211dbac621f376bc79dacd213654a78a7bda91
                • Opcode Fuzzy Hash: 112dfdd9d0533d0426893d05f7838656639a0d414a81682405a27ab0359ae5f0
                • Instruction Fuzzy Hash: D3C13E75E04216EFDB14CF98C884AAEFBB9FF48724B158598E805DB291D730ED81DB90
                Function 0092E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                Download Yara Rule
                APIs
                • CharLowerBuffW.USER32(?,?), ref: 0092E0BE
                • CharLowerBuffW.USER32(?,?), ref: 0092E101
                  • Part of subcall function 0092D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0092D7C5
                • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0092E301
                • _memmove.LIBCMT ref: 0092E314
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: BuffCharLower$AllocVirtual_memmove
                • String ID:
                • API String ID: 3659485706-0
                • Opcode ID: 70afc21592dc5aa5698de72729d60a98617f5e9a0b00484cde3b358e258955f3
                • Instruction ID: 5f88c101565d69c0e081bda84eb6ade104d42a8a06829f09dc9371bdd0c0227d
                • Opcode Fuzzy Hash: 70afc21592dc5aa5698de72729d60a98617f5e9a0b00484cde3b358e258955f3
                • Instruction Fuzzy Hash: 90C13571A083119FC714DF28C480A6ABBE4FF89714F14896EF89ADB351D731E946CB82
                Function 00928093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                Download Yara Rule
                APIs
                • CoInitialize.OLE32(00000000), ref: 009280C3
                • CoUninitialize.OLE32 ref: 009280CE
                  • Part of subcall function 0090D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0090D5D4
                • VariantInit.OLEAUT32(?), ref: 009280D9
                • VariantClear.OLEAUT32(?), ref: 009283AA
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                • String ID:
                • API String ID: 780911581-0
                • Opcode ID: 8de31f3601941b3703e182b65e1fe1d03c56be26a2a92f080d7379de595ae28c
                • Instruction ID: a42ded3b91af01c1fa5c92ea85bc7ce580d9388f7d8d899b4406d4dfb12ee67f
                • Opcode Fuzzy Hash: 8de31f3601941b3703e182b65e1fe1d03c56be26a2a92f080d7379de595ae28c
                • Instruction Fuzzy Hash: FDA16A356087119FDB00DF58D481B6AB7E4FF89754F144858FA9A9B3A1CB34ED05CB82
                Function 00907530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                Download Yara Rule
                APIs
                • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00942C7C,?), ref: 009076EA
                • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00942C7C,?), ref: 00907702
                • CLSIDFromProgID.OLE32(?,?,00000000,0093FB80,000000FF,?,00000000,00000800,00000000,?,00942C7C,?), ref: 00907727
                • _memcmp.LIBCMT ref: 00907748
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FromProg$FreeTask_memcmp
                • String ID:
                • API String ID: 314563124-0
                • Opcode ID: 07f1f3ebfceb8217141f7bd8c039fafd5f08c408c517282f78ec8f6be7027a8f
                • Instruction ID: cc55fa202c93aaca9067b0e6ef04f224fbdef24b14dada9143fc681f432eb0b0
                • Opcode Fuzzy Hash: 07f1f3ebfceb8217141f7bd8c039fafd5f08c408c517282f78ec8f6be7027a8f
                • Instruction Fuzzy Hash: 2481D975A00109EFCB04DFE8C984EEEB7B9FF89315F204559E506AB250DB71AE06CB61
                Function 0090687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Variant$AllocClearCopyInitString
                • String ID:
                • API String ID: 2808897238-0
                • Opcode ID: b046f8efff450cee2fccfb524613678c766b9f04eab4ea6ec623fbb6d479f9d3
                • Instruction ID: 33e632d564e65f7f5ae411d99d62f6e065298bb85e55490fbb998f11b07b97b7
                • Opcode Fuzzy Hash: b046f8efff450cee2fccfb524613678c766b9f04eab4ea6ec623fbb6d479f9d3
                • Instruction Fuzzy Hash: FC51A0747043029EDB24AF69D895B6AB3E9EF45310F20D81FE596EB2D1DB74D8A08B01
                Function 009397F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(014CF508,?), ref: 00939863
                • ScreenToClient.USER32(00000002,00000002), ref: 00939896
                • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00939903
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$ClientMoveRectScreen
                • String ID:
                • API String ID: 3880355969-0
                • Opcode ID: 59277b194e28decc46efb158c50137ee441ce8df4f3019990dd0ffa67aaad138
                • Instruction ID: 47d9cea6d1cfce8327842ee957d9edcef1add5ad103e3d17361a1547c6531a0e
                • Opcode Fuzzy Hash: 59277b194e28decc46efb158c50137ee441ce8df4f3019990dd0ffa67aaad138
                • Instruction Fuzzy Hash: C3513D35A00209AFDF14CF68D884BAE7BB9FF85360F148159F8659B2A0D770AD81DF90
                Function 00909A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00909AD2
                • __itow.LIBCMT ref: 00909B03
                  • Part of subcall function 00909D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00909DBE
                • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00909B6C
                • __itow.LIBCMT ref: 00909BC3
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend$__itow
                • String ID:
                • API String ID: 3379773720-0
                • Opcode ID: 8626b5dfa51e6b18fa448fcd3348d511765aa44bba330b4bba20a495904f5f01
                • Instruction ID: e79eea16ecc52e03af8ba1749935752d81730edab19be27d60128175c0425974
                • Opcode Fuzzy Hash: 8626b5dfa51e6b18fa448fcd3348d511765aa44bba330b4bba20a495904f5f01
                • Instruction Fuzzy Hash: 7A415E74A00308AFDF15EF58D856BEE7FB9EF84764F000069F905A7292DB749A44CB62
                Function 009269AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000002,00000011), ref: 009269D1
                • WSAGetLastError.WSOCK32(00000000), ref: 009269E1
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00926A45
                • WSAGetLastError.WSOCK32(00000000), ref: 00926A51
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorLast$__itow__swprintfsocket
                • String ID:
                • API String ID: 2214342067-0
                • Opcode ID: cb04cfbede0b144594f920683ec29a45b5af2a0973978d4f4e3b332003e00426
                • Instruction ID: 5aa1f70e879240994db73f80587dc8bf74624cb3c6e1d532638a18b7103843d3
                • Opcode Fuzzy Hash: cb04cfbede0b144594f920683ec29a45b5af2a0973978d4f4e3b332003e00426
                • Instruction Fuzzy Hash: 92418375740211AFEB54AF28DC86F6977A8EF05B14F048468FA59DB3D2DA709D008B52
                Function 0092641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                Download Yara Rule
                APIs
                • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0093F910), ref: 009264A7
                • _strlen.LIBCMT ref: 009264D9
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _strlen
                • String ID:
                • API String ID: 4218353326-0
                • Opcode ID: a84fbfd70d3a066267e843a29b9e33f7a04d8918ddf650e99a87991a3eb46ae1
                • Instruction ID: a05920252a69b2a6ccbb101b4b650006e6ae0b2e8a4630b245bc14b1ef52af91
                • Opcode Fuzzy Hash: a84fbfd70d3a066267e843a29b9e33f7a04d8918ddf650e99a87991a3eb46ae1
                • Instruction Fuzzy Hash: 62418031A04115ABCB14EBA8EC95FEEB7A9FF44310F148559F919D73A6DB30AD00CB51
                Function 0091B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                Download Yara Rule
                APIs
                • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0091B89E
                • GetLastError.KERNEL32(?,00000000), ref: 0091B8C4
                • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0091B8E9
                • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0091B915
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CreateHardLink$DeleteErrorFileLast
                • String ID:
                • API String ID: 3321077145-0
                • Opcode ID: 674338bbc136f5cf6b22ac66dc5ab23c5053501085eb661cd8cc34c83b95e745
                • Instruction ID: b811179047e38917077636b80c0411b757a12e37a70284c684ff0075bfd6efa8
                • Opcode Fuzzy Hash: 674338bbc136f5cf6b22ac66dc5ab23c5053501085eb661cd8cc34c83b95e745
                • Instruction Fuzzy Hash: 4941F739604514DFCB11EF19C484A99BBB6FF4A714F098098ED8A9B362CB30ED41DB92
                Function 00938851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                Download Yara Rule
                APIs
                • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009388DE
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: InvalidateRect
                • String ID:
                • API String ID: 634782764-0
                • Opcode ID: 333c93367d495748b2178611be511d9b54733d26803bf9551f5e05ac7d104e4e
                • Instruction ID: 8f4590d34ea1856516b117c35f2fc3afb2a68ad0df435c891c3d05f824861d89
                • Opcode Fuzzy Hash: 333c93367d495748b2178611be511d9b54733d26803bf9551f5e05ac7d104e4e
                • Instruction Fuzzy Hash: DF310474614308AFEF249A28CC45FBA37A8EB0A350F644512FA25E62A1CE70ED409F53
                Function 0093AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                Download Yara Rule
                APIs
                • ClientToScreen.USER32(?,?), ref: 0093AB60
                • GetWindowRect.USER32(?,?), ref: 0093ABD6
                • PtInRect.USER32(?,?,0093C014), ref: 0093ABE6
                • MessageBeep.USER32(00000000), ref: 0093AC57
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Rect$BeepClientMessageScreenWindow
                • String ID:
                • API String ID: 1352109105-0
                • Opcode ID: 546ade7b99271114a06889a602b17490e0acadc1c3a0c5961357127513e57994
                • Instruction ID: 55f02ea4c2e1c80bb3bdbfba141fd9e639e82db31f93f44ead643b589b15e54b
                • Opcode Fuzzy Hash: 546ade7b99271114a06889a602b17490e0acadc1c3a0c5961357127513e57994
                • Instruction Fuzzy Hash: A1418D31A04119DFCF11DF58C884BA9BBF5FF49300F1894A9E898DB261D730A841DF92
                Function 00910AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00910B27
                • SetKeyboardState.USER32(00000080,?,00000001), ref: 00910B43
                • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00910BA9
                • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00910BFB
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: 696621bb531aa3b18d49c8b16aad397a922d631e77a8008b6ca9d791b5a1a754
                • Instruction ID: 8bff0134ea1e8996f81ac62582234345fabbbc4a178165c8f1956987d8666f69
                • Opcode Fuzzy Hash: 696621bb531aa3b18d49c8b16aad397a922d631e77a8008b6ca9d791b5a1a754
                • Instruction Fuzzy Hash: 42310770F8861CAEFF308A258C05BFEBBADABC5318F04466AF591521D1C3FA89D09751
                Function 00910C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00910C66
                • SetKeyboardState.USER32(00000080,?,00008000), ref: 00910C82
                • PostMessageW.USER32(00000000,00000101,00000000), ref: 00910CE1
                • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00910D33
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: KeyboardState$InputMessagePostSend
                • String ID:
                • API String ID: 432972143-0
                • Opcode ID: ee8364f4465d963bd573bf3910a1452a24cdecc3159fd45cb98483663949e603
                • Instruction ID: 8cea6fac84f3e2c9b75c1076808a67c978512d3de2cba8c53f1094d4e58ca410
                • Opcode Fuzzy Hash: ee8364f4465d963bd573bf3910a1452a24cdecc3159fd45cb98483663949e603
                • Instruction Fuzzy Hash: 87313530B0431CAEFF308A649815BFEBB6AABC5310F04471AE4C0521D1C3BA99D59BD1
                Function 008E61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008E61FB
                • __isleadbyte_l.LIBCMT ref: 008E6229
                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008E6257
                • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008E628D
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                • String ID:
                • API String ID: 3058430110-0
                • Opcode ID: 4f13a38e6a5bcd838f67e977aba5dc9effad236afde979c219d83430c8fe24c6
                • Instruction ID: ec6bd10f79e13af1774ba7f59aba3456dba97f22decfa59f32fef484fb1a5f98
                • Opcode Fuzzy Hash: 4f13a38e6a5bcd838f67e977aba5dc9effad236afde979c219d83430c8fe24c6
                • Instruction Fuzzy Hash: 3431C130A04286EFDF228F76CC44BAA7BA9FF52390F154129E924C7191E730E960DB90
                Function 00934EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32 ref: 00934F02
                  • Part of subcall function 00913641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0091365B
                  • Part of subcall function 00913641: GetCurrentThreadId.KERNEL32 ref: 00913662
                  • Part of subcall function 00913641: AttachThreadInput.USER32(00000000,?,00915005), ref: 00913669
                • GetCaretPos.USER32(?), ref: 00934F13
                • ClientToScreen.USER32(00000000,?), ref: 00934F4E
                • GetForegroundWindow.USER32 ref: 00934F54
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                • String ID:
                • API String ID: 2759813231-0
                • Opcode ID: 5701532adad557aa6609368a95ee33391778233ebcdd94db494c52af47b34d05
                • Instruction ID: b907b885f5aa20a4c67bdef3c3a1fbde44aa804b26e9863e98341f9001fce9d9
                • Opcode Fuzzy Hash: 5701532adad557aa6609368a95ee33391778233ebcdd94db494c52af47b34d05
                • Instruction Fuzzy Hash: DD312F71E00108AFCB00EFA9C8859EFB7FDEF99300F10406AE555E7251DA75AE45CBA1
                Function 00913C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 00913C7A
                • Process32FirstW.KERNEL32(00000000,?), ref: 00913C88
                • Process32NextW.KERNEL32(00000000,?), ref: 00913CA8
                • CloseHandle.KERNEL32(00000000), ref: 00913D52
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                • String ID:
                • API String ID: 420147892-0
                • Opcode ID: bd2445c76cb9cdb5af08b5400b350e4c2c25da856961cc29e96b60f0a5b25d40
                • Instruction ID: 1d6a68004cbff4fe5b19f1f197348b021c6ca60bb841a2bc241e6794f766c0e8
                • Opcode Fuzzy Hash: bd2445c76cb9cdb5af08b5400b350e4c2c25da856961cc29e96b60f0a5b25d40
                • Instruction Fuzzy Hash: 00317E712083059FD304EF64D881AEABBF8FF95354F50092DF482C62A1EB719A49CB93
                Function 0093C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B2612: GetWindowLongW.USER32(?,000000EB), ref: 008B2623
                • GetCursorPos.USER32(?), ref: 0093C4D2
                • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008EB9AB,?,?,?,?,?), ref: 0093C4E7
                • GetCursorPos.USER32(?), ref: 0093C534
                • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008EB9AB,?,?,?), ref: 0093C56E
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Cursor$LongMenuPopupProcTrackWindow
                • String ID:
                • API String ID: 2864067406-0
                • Opcode ID: 9fcd2fa539844f09e9d0a81f5f8d24771cd2a0e627f2b067e7ed786bba12dde5
                • Instruction ID: ce7b4616cd90703e1705a06c5e51780b4e063ba87bdbae3e8544a7bda8d6d497
                • Opcode Fuzzy Hash: 9fcd2fa539844f09e9d0a81f5f8d24771cd2a0e627f2b067e7ed786bba12dde5
                • Instruction Fuzzy Hash: 0A31A075605418AFCB25CF58C858EFA7BF9EB09310F044169F90A9B261C731AD50EFA4
                Function 00908656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0090810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00908121
                  • Part of subcall function 0090810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0090812B
                  • Part of subcall function 0090810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0090813A
                  • Part of subcall function 0090810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00908141
                  • Part of subcall function 0090810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00908157
                • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009086A3
                • _memcmp.LIBCMT ref: 009086C6
                • GetProcessHeap.KERNEL32(00000000,00000000), ref: 009086FC
                • HeapFree.KERNEL32(00000000), ref: 00908703
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                • String ID:
                • API String ID: 1592001646-0
                • Opcode ID: 67ec8c2597140c593258906eb9b9f6da4a2e575002d83497f7288319ce57d247
                • Instruction ID: 0f7b7fe4178c52fa7be2b4f51494b2fb459eee8d9d3a7e5f19b232bc174912c5
                • Opcode Fuzzy Hash: 67ec8c2597140c593258906eb9b9f6da4a2e575002d83497f7288319ce57d247
                • Instruction Fuzzy Hash: BA218C71E04209EFDB10DFA8C949BEEB7B9EF44314F164059E485AB281DB31AE05DF90
                Function 008D098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                Download Yara Rule
                APIs
                • __setmode.LIBCMT ref: 008D09AE
                  • Part of subcall function 008B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00917896,?,?,00000000), ref: 008B5A2C
                  • Part of subcall function 008B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00917896,?,?,00000000,?,?), ref: 008B5A50
                • _fprintf.LIBCMT ref: 008D09E5
                • OutputDebugStringW.KERNEL32(?), ref: 00905DBB
                  • Part of subcall function 008D4AAA: _flsall.LIBCMT ref: 008D4AC3
                • __setmode.LIBCMT ref: 008D0A1A
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                • String ID:
                • API String ID: 521402451-0
                • Opcode ID: fbc087ae388ba12e4fa8a9b3b829f882598c2eb7ea2743f82fdf5a3afe43caf4
                • Instruction ID: c8616b61e31bdfec2b0af2a38cb03dc7f2b526041cb8dd09c43c08795ee9e926
                • Opcode Fuzzy Hash: fbc087ae388ba12e4fa8a9b3b829f882598c2eb7ea2743f82fdf5a3afe43caf4
                • Instruction Fuzzy Hash: 0C1108319081086FDB04B3B8AC46AFE7768FF45310F140227F105E63D2EE7058415792
                Function 00921767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009217A3
                  • Part of subcall function 0092182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0092184C
                  • Part of subcall function 0092182D: InternetCloseHandle.WININET(00000000), ref: 009218E9
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Internet$CloseConnectHandleOpen
                • String ID:
                • API String ID: 1463438336-0
                • Opcode ID: 830cf3e7680899e6b45144ea65e98aa1f753008aed0afcdc5d8dab45aa137727
                • Instruction ID: b1e6096e84e8fa485f7deac6c9df385dab12f1c217e261ce9a69f5df2fc80af3
                • Opcode Fuzzy Hash: 830cf3e7680899e6b45144ea65e98aa1f753008aed0afcdc5d8dab45aa137727
                • Instruction Fuzzy Hash: 8E21F631604615BFEB169F60EC41FBBBBEDFF98710F10442AFA1196664D771D820ABA0
                Function 00913A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNEL32(?,0093FAC0), ref: 00913A64
                • GetLastError.KERNEL32 ref: 00913A73
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00913A82
                • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0093FAC0), ref: 00913ADF
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CreateDirectory$AttributesErrorFileLast
                • String ID:
                • API String ID: 2267087916-0
                • Opcode ID: 6ca00ad15fd1e2d350f3f9f6e7aedd05dc9bd9a50ad02709be97135c7b351717
                • Instruction ID: c12422016c1cf7a58bef95acb8c9a56272c7c703a6298211838c645224ba1f5f
                • Opcode Fuzzy Hash: 6ca00ad15fd1e2d350f3f9f6e7aedd05dc9bd9a50ad02709be97135c7b351717
                • Instruction Fuzzy Hash: 4F2162746082059F8710EF28D8918EB7BF8FE55364F148A29F499C72A1D7319A89CB82
                Function 0090DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0090F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0090DCD3,?,?,?,0090EAC6,00000000,000000EF,00000119,?,?), ref: 0090F0CB
                  • Part of subcall function 0090F0BC: lstrcpyW.KERNEL32(00000000,?,?,0090DCD3,?,?,?,0090EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0090F0F1
                  • Part of subcall function 0090F0BC: lstrcmpiW.KERNEL32(00000000,?,0090DCD3,?,?,?,0090EAC6,00000000,000000EF,00000119,?,?), ref: 0090F122
                • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0090EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0090DCEC
                • lstrcpyW.KERNEL32(00000000,?,?,0090EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0090DD12
                • lstrcmpiW.KERNEL32(00000002,cdecl,?,0090EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0090DD46
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: lstrcmpilstrcpylstrlen
                • String ID: cdecl
                • API String ID: 4031866154-3896280584
                • Opcode ID: 8061aa2241ee4d4cbfb6e9c4f01e9bcfd08e7267c99300f0267f0385d56f7d1f
                • Instruction ID: 9a8d9a5b5a2f909320c4eb076392d4fd626c736e449463bf14d765de232cad16
                • Opcode Fuzzy Hash: 8061aa2241ee4d4cbfb6e9c4f01e9bcfd08e7267c99300f0267f0385d56f7d1f
                • Instruction Fuzzy Hash: F311BE3A204305EFDB259FB4D845E7A77A9FF45350B40812AE806CB2E0EB719C40EB91
                Function 008E50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _free.LIBCMT ref: 008E5101
                  • Part of subcall function 008D571C: __FF_MSGBANNER.LIBCMT ref: 008D5733
                  • Part of subcall function 008D571C: __NMSG_WRITE.LIBCMT ref: 008D573A
                  • Part of subcall function 008D571C: RtlAllocateHeap.NTDLL(014B0000,00000000,00000001,00000000,?,?,?,008D0DD3,?), ref: 008D575F
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: AllocateHeap_free
                • String ID:
                • API String ID: 614378929-0
                • Opcode ID: 549a0e62febe6c815031af7d02a5fceaaf8855ccb07d15d85b83e3dc35e3b5c8
                • Instruction ID: 5327cbdd4ce62d7b0b903eae06f8214e3d5f93703f9e8c69e37f3d48e471bf8e
                • Opcode Fuzzy Hash: 549a0e62febe6c815031af7d02a5fceaaf8855ccb07d15d85b83e3dc35e3b5c8
                • Instruction Fuzzy Hash: 0B11E372908A55AECB212F7AAC05B5E3798FB023A9F10462BF908D6350DE30C8409B91
                Function 008B44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 008B44CF
                  • Part of subcall function 008B407C: _memset.LIBCMT ref: 008B40FC
                  • Part of subcall function 008B407C: _wcscpy.LIBCMT ref: 008B4150
                  • Part of subcall function 008B407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008B4160
                • KillTimer.USER32(?,00000001,?,?), ref: 008B4524
                • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008B4533
                • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008ED4B9
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                • String ID:
                • API String ID: 1378193009-0
                • Opcode ID: 4875c13104545d1cabae98f52f04c3fd8863b46b4529485922bf2d8eea6b5e69
                • Instruction ID: 44de7ba14244418cb6a64932d7baf6144a09bd6388b5c5ac190b36b1509ad86f
                • Opcode Fuzzy Hash: 4875c13104545d1cabae98f52f04c3fd8863b46b4529485922bf2d8eea6b5e69
                • Instruction Fuzzy Hash: D321DD719047889FE7329B248855BE6BBECFF16318F04009DE69ED6282C3746988DB55
                Function 00926369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00917896,?,?,00000000), ref: 008B5A2C
                  • Part of subcall function 008B5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00917896,?,?,00000000,?,?), ref: 008B5A50
                • gethostbyname.WSOCK32(?,?,?), ref: 00926399
                • WSAGetLastError.WSOCK32(00000000), ref: 009263A4
                • _memmove.LIBCMT ref: 009263D1
                • inet_ntoa.WSOCK32(?), ref: 009263DC
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                • String ID:
                • API String ID: 1504782959-0
                • Opcode ID: 8073de63449f14f31b5e4235846e24c99970d4cb86e9238cf000570a908de7b7
                • Instruction ID: 957f9acb633235e12e38918e2ba410a74910f4673f7d5095a626382512267f7b
                • Opcode Fuzzy Hash: 8073de63449f14f31b5e4235846e24c99970d4cb86e9238cf000570a908de7b7
                • Instruction Fuzzy Hash: AB114C32904119AFCB04FBA8DD56DEEB7B8FF48310B144465F506E7261DB30AE14DB62
                Function 00908B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00908B61
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00908B73
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00908B89
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00908BA4
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: f99a3a47f526973d154dac8187c6f6cf8d1b1e396ef8fa47486ada44e6a84939
                • Instruction ID: 120da04602f41a1182fe6f13278065f4526020ec01f9efcade7d0139cc3597b2
                • Opcode Fuzzy Hash: f99a3a47f526973d154dac8187c6f6cf8d1b1e396ef8fa47486ada44e6a84939
                • Instruction Fuzzy Hash: EB112E79A01218FFDB11DF95CD85FAEBBB8FB48710F2040A5E940B7290DA716E11DB94
                Function 008B1290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B2612: GetWindowLongW.USER32(?,000000EB), ref: 008B2623
                • DefDlgProcW.USER32(?,00000020,?), ref: 008B12D8
                • GetClientRect.USER32(?,?), ref: 008EB5FB
                • GetCursorPos.USER32(?), ref: 008EB605
                • ScreenToClient.USER32(?,?), ref: 008EB610
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Client$CursorLongProcRectScreenWindow
                • String ID:
                • API String ID: 4127811313-0
                • Opcode ID: 30c7b1a004fe50d8ca81b5b77122f7a75385bf893062ed090ba3cb713a7e3b03
                • Instruction ID: e759e4b6798f9329a3e47a7e660dc1db772833c4dac85f3ecfd51948c2f93567
                • Opcode Fuzzy Hash: 30c7b1a004fe50d8ca81b5b77122f7a75385bf893062ed090ba3cb713a7e3b03
                • Instruction Fuzzy Hash: BC112536A14019AFCF14EFA8D8999FE77B8FB05301F900466F911EB250C730AA559BA6
                Function 00911142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                Download Yara Rule
                APIs
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0090FCED,?,00910D40,?,00008000), ref: 0091115F
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0090FCED,?,00910D40,?,00008000), ref: 00911184
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0090FCED,?,00910D40,?,00008000), ref: 0091118E
                • Sleep.KERNEL32(?,?,?,?,?,?,?,0090FCED,?,00910D40,?,00008000), ref: 009111C1
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CounterPerformanceQuerySleep
                • String ID:
                • API String ID: 2875609808-0
                • Opcode ID: dbfd857ccc28bb1bbedb02eb7f7aea6008940ef289badafa8cfe9aa45fc8c74a
                • Instruction ID: b731430c25ba1d7a08fdbd078b802d9119e5752658f29497fa591c33d319774c
                • Opcode Fuzzy Hash: dbfd857ccc28bb1bbedb02eb7f7aea6008940ef289badafa8cfe9aa45fc8c74a
                • Instruction Fuzzy Hash: 7C111831E0851DFBCF009FA5E888BEEFBB8FB09711F004456EB55B2240CB7095909B95
                Function 0090D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                Download Yara Rule
                APIs
                • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0090D84D
                • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0090D864
                • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0090D879
                • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0090D897
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Type$Register$FileLoadModuleNameUser
                • String ID:
                • API String ID: 1352324309-0
                • Opcode ID: 7256afa35f7c050fdb581d4da1c257e0ca199b6861db912e168b27b501153c1d
                • Instruction ID: 7c7683bf57fab134e4e7d4c9af44f1370fb50d6e1fb22dd84e2b368fd01a04c9
                • Opcode Fuzzy Hash: 7256afa35f7c050fdb581d4da1c257e0ca199b6861db912e168b27b501153c1d
                • Instruction Fuzzy Hash: E5115E75A06304DFE7208F90ED0CF92BBBCEB00B10F10C969A916D6090D7B4E549AFA1
                Function 008E6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                • String ID:
                • API String ID: 3016257755-0
                • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                • Instruction ID: e2859d969375a5bac2707704d71b01914a0153b977fdcbedfed542fa71b082a5
                • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                • Instruction Fuzzy Hash: 7801407244458EBBCF165F8ACC01CED3F62FB2A355F588415FE1898031D236C9B1AB81
                Function 0093B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 0093B2E4
                • ScreenToClient.USER32(?,?), ref: 0093B2FC
                • ScreenToClient.USER32(?,?), ref: 0093B320
                • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0093B33B
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ClientRectScreen$InvalidateWindow
                • String ID:
                • API String ID: 357397906-0
                • Opcode ID: 9091ef0206257df05a19d3a0ca5fe0e2e21014ea48d84aaa10e7a2bc41f86dca
                • Instruction ID: 522900882eaeff6efd5dfe36b8f8b79e008b0bbfad292b129c277cf9d2de86f0
                • Opcode Fuzzy Hash: 9091ef0206257df05a19d3a0ca5fe0e2e21014ea48d84aaa10e7a2bc41f86dca
                • Instruction Fuzzy Hash: 6C1143B9D0460DEFDB41CFA9C8859EEBBB9FB08314F108166E914E3220D735AA559F50
                Function 0093B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0093B644
                • _memset.LIBCMT ref: 0093B653
                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00976F20,00976F64), ref: 0093B682
                • CloseHandle.KERNEL32 ref: 0093B694
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _memset$CloseCreateHandleProcess
                • String ID:
                • API String ID: 3277943733-0
                • Opcode ID: 13c481c2c749a2a6d9edb1c94f95d1aef497bf750b1c937d2e9b6c17c2e92459
                • Instruction ID: ffb74641e4078e4f9583f7b405ff6396947c48ed3825eafc56186f376bb7cd96
                • Opcode Fuzzy Hash: 13c481c2c749a2a6d9edb1c94f95d1aef497bf750b1c937d2e9b6c17c2e92459
                • Instruction Fuzzy Hash: 09F05EB3654704BEE3102B65BC06FBB3E9CEB08395F004021FA0CE6192D7714C009BA9
                Function 00916BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(?), ref: 00916BE6
                  • Part of subcall function 009176C4: _memset.LIBCMT ref: 009176F9
                • _memmove.LIBCMT ref: 00916C09
                • _memset.LIBCMT ref: 00916C16
                • LeaveCriticalSection.KERNEL32(?), ref: 00916C26
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CriticalSection_memset$EnterLeave_memmove
                • String ID:
                • API String ID: 48991266-0
                • Opcode ID: b8233f5b89bb81d1d6dcd29fdf343f78edf997bbf9a84eb85913c7a88a645365
                • Instruction ID: 3f6e003fbe96637591d544ecdc94e3c2a9ae0a3fdceada16931bb27da721a5f8
                • Opcode Fuzzy Hash: b8233f5b89bb81d1d6dcd29fdf343f78edf997bbf9a84eb85913c7a88a645365
                • Instruction Fuzzy Hash: 65F05E3A204104ABCF016F95DC85E8ABB2AEF85360F088061FE089E267C771E851DFB5
                Function 008B2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000008), ref: 008B2231
                • SetTextColor.GDI32(?,000000FF), ref: 008B223B
                • SetBkMode.GDI32(?,00000001), ref: 008B2250
                • GetStockObject.GDI32(00000005), ref: 008B2258
                • GetWindowDC.USER32(?,00000000), ref: 008EBE83
                • GetPixel.GDI32(00000000,00000000,00000000), ref: 008EBE90
                • GetPixel.GDI32(00000000,?,00000000), ref: 008EBEA9
                • GetPixel.GDI32(00000000,00000000,?), ref: 008EBEC2
                • GetPixel.GDI32(00000000,?,?), ref: 008EBEE2
                • ReleaseDC.USER32(?,00000000), ref: 008EBEED
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                • String ID:
                • API String ID: 1946975507-0
                • Opcode ID: 6d59f844b2d310beae386390c4a5ab156bd2b8b723cda9b712aa7c7bff3dc397
                • Instruction ID: 00a12ad60f387bd9166fff97b8846a5c94f69ee15a7e46229ed79812f0286798
                • Opcode Fuzzy Hash: 6d59f844b2d310beae386390c4a5ab156bd2b8b723cda9b712aa7c7bff3dc397
                • Instruction Fuzzy Hash: B9E03031518144AADF215FA4FC0D7D83B10EB06336F008366FA69880E187714580EF11
                Function 00908712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThread.KERNEL32 ref: 0090871B
                • OpenThreadToken.ADVAPI32(00000000,?,?,?,009082E6), ref: 00908722
                • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009082E6), ref: 0090872F
                • OpenProcessToken.ADVAPI32(00000000,?,?,?,009082E6), ref: 00908736
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CurrentOpenProcessThreadToken
                • String ID:
                • API String ID: 3974789173-0
                • Opcode ID: 28b39a40cc23ea25702f6def2c55bfd5883485dfc38d8e020173d876a4995dc4
                • Instruction ID: b2e2b19821293cc9463ef56f9e3d9cd998c32c4e775787ace238e4b7c4e7ee91
                • Opcode Fuzzy Hash: 28b39a40cc23ea25702f6def2c55bfd5883485dfc38d8e020173d876a4995dc4
                • Instruction Fuzzy Hash: FAE08636B292119FD7205FB45D0CB5B3BACEF507D1F144828B285D9091DB348445DF50
                Function 008D5DAC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                Download Yara Rule
                APIs
                • __getptd_noexit.LIBCMT ref: 008D5DAD
                  • Part of subcall function 008D99C4: GetLastError.KERNEL32(00000000,008D0DD3,008D8B2D,008D57A3,?,?,008D0DD3,?), ref: 008D99C6
                  • Part of subcall function 008D99C4: __calloc_crt.LIBCMT ref: 008D99E7
                  • Part of subcall function 008D99C4: __initptd.LIBCMT ref: 008D9A09
                  • Part of subcall function 008D99C4: GetCurrentThreadId.KERNEL32 ref: 008D9A10
                  • Part of subcall function 008D99C4: SetLastError.KERNEL32(00000000,008D0DD3,?), ref: 008D9A28
                • CloseHandle.KERNEL32(?,?,008D5D8C), ref: 008D5DC1
                • __freeptd.LIBCMT ref: 008D5DC8
                • ExitThread.KERNEL32 ref: 008D5DD0
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
                • String ID:
                • API String ID: 4169687693-0
                • Opcode ID: b81c0eac29874f60a909859aece7a260e8c904c649d900905e8e8e07e188e4f4
                • Instruction ID: a045828f31b329c2f963f037d71b6ee46c7039ffdf296d25ee1bc73cfca626d0
                • Opcode Fuzzy Hash: b81c0eac29874f60a909859aece7a260e8c904c649d900905e8e8e07e188e4f4
                • Instruction Fuzzy Hash: 4DD0A731401F105BC23237348C2D6393750FF007A1B04432BF0A5C52F09F2098028A52
                Function 0090B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                Download Yara Rule
                APIs
                • OleSetContainedObject.OLE32(?,00000001), ref: 0090B4BE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ContainedObject
                • String ID: AutoIt3GUI$Container
                • API String ID: 3565006973-3941886329
                • Opcode ID: 873a3702d2e357f5122b473ff6b5315b10ee39c4d0e52017ba13a7cf1a6e0d32
                • Instruction ID: 0d5753e6edd1fd0dedb2c93f8f9c81a605e302fde7a6d22dd12f31317c55e01f
                • Opcode Fuzzy Hash: 873a3702d2e357f5122b473ff6b5315b10ee39c4d0e52017ba13a7cf1a6e0d32
                • Instruction Fuzzy Hash: 25913770600601AFDB14DF68C884B6ABBF9FF49710F20856EF94ADB2A1DB71E841CB50
                Function 0091AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008CFC86: _wcscpy.LIBCMT ref: 008CFCA9
                  • Part of subcall function 008B9837: __itow.LIBCMT ref: 008B9862
                  • Part of subcall function 008B9837: __swprintf.LIBCMT ref: 008B98AC
                • __wcsnicmp.LIBCMT ref: 0091B02D
                • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0091B0F6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                • String ID: LPT
                • API String ID: 3222508074-1350329615
                • Opcode ID: 01db8b34821218fefcc7a7fef7dfd1c4399cb968a656d9b9d46aadb9d667a5ac
                • Instruction ID: 411e4b0242b6afb8f16dd251eca049d8a7067120244072290ea8a867282fc179
                • Opcode Fuzzy Hash: 01db8b34821218fefcc7a7fef7dfd1c4399cb968a656d9b9d46aadb9d667a5ac
                • Instruction Fuzzy Hash: 55619175A04219AFCB14DF98C891EEEB7B9FF08310F114069F956AB3A1D770AE80CB51
                Function 008C2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000), ref: 008C2968
                • GlobalMemoryStatusEx.KERNEL32(?), ref: 008C2981
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: GlobalMemorySleepStatus
                • String ID: @
                • API String ID: 2783356886-2766056989
                • Opcode ID: 802fa79e2ae7e3e56934015b1a5a6f5d95d4c3e0d8e95307adb6c0797f51d446
                • Instruction ID: 01674c82580100242cc0f0229350da93edc1a010abc589886ee6c84bed85957e
                • Opcode Fuzzy Hash: 802fa79e2ae7e3e56934015b1a5a6f5d95d4c3e0d8e95307adb6c0797f51d446
                • Instruction Fuzzy Hash: 6D5144724187449BD320AF14D886BEBBBE8FB85345F41885DF2E8812A1DB309569CB67
                Function 00919734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B4F0B: __fread_nolock.LIBCMT ref: 008B4F29
                • _wcscmp.LIBCMT ref: 00919824
                • _wcscmp.LIBCMT ref: 00919837
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: _wcscmp$__fread_nolock
                • String ID: FILE
                • API String ID: 4029003684-3121273764
                • Opcode ID: 7967e199f4fb29d465cc1e8b749413f4a2495c87e3420cd7c688ff5893650f29
                • Instruction ID: 9050290a89f1da11dff49292fc127b43bc6ad21d2c6537791d37c18b67adc905
                • Opcode Fuzzy Hash: 7967e199f4fb29d465cc1e8b749413f4a2495c87e3420cd7c688ff5893650f29
                • Instruction Fuzzy Hash: 0741C871A0420DBADF219FA4CC56FEFB7BDEF85710F00046AF904E7291DA71A9448B61
                Function 0092258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0092259E
                • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 009225D4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CrackInternet_memset
                • String ID: |
                • API String ID: 1413715105-2343686810
                • Opcode ID: ebbc6ee166978b3df562514ec66440ee1cd34d68fb503cf01385b0ef40d4dac2
                • Instruction ID: f849e5a496e42ab897f04450378888b66723022dca21592c1d28bc761d371761
                • Opcode Fuzzy Hash: ebbc6ee166978b3df562514ec66440ee1cd34d68fb503cf01385b0ef40d4dac2
                • Instruction Fuzzy Hash: 09313B71800219EBDF01EFA4DC85EEEBFB8FF08310F10005AF915A6266EB315956DB61
                Function 00937A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001132,00000000,?), ref: 00937B61
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00937B76
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: '
                • API String ID: 3850602802-1997036262
                • Opcode ID: 2a1f2e7198d8f0f97db0e01c49e3d8a3afa191f01d4dcf675750c0a448fb1dd1
                • Instruction ID: e8230a5038189c73650ca0eb403cf376678926b5392394d49e5d270b2308043a
                • Opcode Fuzzy Hash: 2a1f2e7198d8f0f97db0e01c49e3d8a3afa191f01d4dcf675750c0a448fb1dd1
                • Instruction Fuzzy Hash: 3B41FAB5A052099FDB64CFA4C981BEABBF9FB09300F14056AE904EB351D770A951CF90
                Function 00936A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?,?,?), ref: 00936B17
                • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00936B53
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$DestroyMove
                • String ID: static
                • API String ID: 2139405536-2160076837
                • Opcode ID: 556af96bce466d9fbb8aca64d694ac8a5c4e624706361d3906260ba6c99c4443
                • Instruction ID: 8271f5ae762c3e1c410fd2e3c933b1ae2e670ebe34ca8aa22bcb9f7ccd5f8fc3
                • Opcode Fuzzy Hash: 556af96bce466d9fbb8aca64d694ac8a5c4e624706361d3906260ba6c99c4443
                • Instruction Fuzzy Hash: E2316D71210608AEEB109F68CC91BFB77BDFF48764F108619F9A9D7190DA31AC91DB60
                Function 009128A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00912911
                • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0091294C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: InfoItemMenu_memset
                • String ID: 0
                • API String ID: 2223754486-4108050209
                • Opcode ID: 4e57e37f17d477631f9101fca49b8d54980b713836e6f423ab7d460fb562154b
                • Instruction ID: 49f3ddf1c78cbf293f9d21cc64be1c4b1389fc94a17e9cddf6bcbc8c920cb8de
                • Opcode Fuzzy Hash: 4e57e37f17d477631f9101fca49b8d54980b713836e6f423ab7d460fb562154b
                • Instruction Fuzzy Hash: F431C331B0030D9BEB28EF5CCA45BEEBBB9EF45350F140029E985E62A0D7709990DB51
                Function 009239E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                Download Yara Rule
                APIs
                • __snwprintf.LIBCMT ref: 00923A66
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: __snwprintf_memmove
                • String ID: , $$AUTOITCALLVARIABLE%d
                • API String ID: 3506404897-2584243854
                • Opcode ID: 02f123967385b4858420467a40c10f86b1d1d01f0671ce5ba0c7e24c9f642656
                • Instruction ID: 5c94de79e1574c212cd537a852dbd40566ceb1e68f249aba5b35fc98b41c9838
                • Opcode Fuzzy Hash: 02f123967385b4858420467a40c10f86b1d1d01f0671ce5ba0c7e24c9f642656
                • Instruction Fuzzy Hash: 6A218F30604229AECF10EF68DC92AEE7BB9FF84300F404469E445A7285DB34EA45CB62
                Function 009366D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00936761
                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0093676C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: Combobox
                • API String ID: 3850602802-2096851135
                • Opcode ID: 17112a4bcd795129e7e815819fdf1c604f52f97ebe72b25c84c53f080a1ae8c4
                • Instruction ID: 972993a3a6c44b8dc676b70a15f6b002531e9d1d6063507ad0d206dc24d2d29b
                • Opcode Fuzzy Hash: 17112a4bcd795129e7e815819fdf1c604f52f97ebe72b25c84c53f080a1ae8c4
                • Instruction Fuzzy Hash: 3C11B271210208BFEF118F54CC81EAB376EEB883A8F508129F91997290D6719C518BA0
                Function 00936C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 008B1D73
                  • Part of subcall function 008B1D35: GetStockObject.GDI32(00000011), ref: 008B1D87
                  • Part of subcall function 008B1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 008B1D91
                • GetWindowRect.USER32(00000000,?), ref: 00936C71
                • GetSysColor.USER32(00000012), ref: 00936C8B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Window$ColorCreateMessageObjectRectSendStock
                • String ID: static
                • API String ID: 1983116058-2160076837
                • Opcode ID: e5c1f008063e8be4c89fcb90a275a142b83c8bb9feecd4b3f1033745f1003344
                • Instruction ID: 14d331a97a6c46b09fdf33d08dedc6c7a24ec07180df406252e27b932f60e60f
                • Opcode Fuzzy Hash: e5c1f008063e8be4c89fcb90a275a142b83c8bb9feecd4b3f1033745f1003344
                • Instruction Fuzzy Hash: 8A212972920209AFDF04DFA8CC45EFA7BA8FB08314F055629FA95D2250D635E850DF60
                Function 00936920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowTextLengthW.USER32(00000000), ref: 009369A2
                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009369B1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: LengthMessageSendTextWindow
                • String ID: edit
                • API String ID: 2978978980-2167791130
                • Opcode ID: f5aac3d04e96af6d96d76203a6bf1273dcb5d451441b287af2892f0e8217ab12
                • Instruction ID: 70e80a4d5010de06628d5226e1b5a72fcb5f5064d5e4c8374b1b5c4850585aa3
                • Opcode Fuzzy Hash: f5aac3d04e96af6d96d76203a6bf1273dcb5d451441b287af2892f0e8217ab12
                • Instruction Fuzzy Hash: 25116D71510208BBEB108E64DC55BEB3B6DEB05378F608728F9A5961E0C675DC50AB60
                Function 009129AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00912A22
                • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00912A41
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: InfoItemMenu_memset
                • String ID: 0
                • API String ID: 2223754486-4108050209
                • Opcode ID: 90edcf63e986c1ff7ae884fe08f06a04ba484220f57dc8e4f8b4abe53ba59447
                • Instruction ID: 4da21d0553a5ce3459c8cf922aba3aefc74cff1754bb308143298d3c31cb956f
                • Opcode Fuzzy Hash: 90edcf63e986c1ff7ae884fe08f06a04ba484220f57dc8e4f8b4abe53ba59447
                • Instruction Fuzzy Hash: 2C11D032E1521CABCB34EB98D844BEA73ACAF45300F054021E959E72D0D770AD9AC791
                Function 009221D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0092222C
                • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00922255
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Internet$OpenOption
                • String ID: <local>
                • API String ID: 942729171-4266983199
                • Opcode ID: d8dfaa2a79b92aef847d45dedbfadbb03be4bfddb6dd20cc5c174a5177923e6d
                • Instruction ID: b2a1380114d6953ccbe15be408ab13521487b2f5285c35b041543a89abafbfd7
                • Opcode Fuzzy Hash: d8dfaa2a79b92aef847d45dedbfadbb03be4bfddb6dd20cc5c174a5177923e6d
                • Instruction Fuzzy Hash: 89110270541235FADB288F11AC85EBBFBACFF16351F10862AF92546000D2716990DAF0
                Function 00927D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00927FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00927DB3,?,00000000,?,?), ref: 0092800D
                • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00927DB6
                • htons.WSOCK32(00000000,?,00000000), ref: 00927DF3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ByteCharMultiWidehtonsinet_addr
                • String ID: 255.255.255.255
                • API String ID: 2496851823-2422070025
                • Opcode ID: 1cf4f7b3d0b417b7b3d2944e47a6be6d63ef2ffc78e68b4ba4b5c8f389c49bc1
                • Instruction ID: 7a254274a72fe1139570a12b0edded25104ba1ac82e153b8d5bae9275e3fc2fa
                • Opcode Fuzzy Hash: 1cf4f7b3d0b417b7b3d2944e47a6be6d63ef2ffc78e68b4ba4b5c8f389c49bc1
                • Instruction Fuzzy Hash: 50118235504215ABCB20AFA4EC86FBEF764FF54320F104956E915A72D5DB71AC10C6A1
                Function 00908E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                  • Part of subcall function 0090AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0090AABC
                • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00908E73
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ClassMessageNameSend_memmove
                • String ID: ComboBox$ListBox
                • API String ID: 372448540-1403004172
                • Opcode ID: 6d8205ccde9af3579d99859b6b19e46ed5d774bc7417ae1b4f887f816b5e7bf8
                • Instruction ID: be5f60be1088daca55d16b0efdbd10b77beab053345202332745806dadd70e37
                • Opcode Fuzzy Hash: 6d8205ccde9af3579d99859b6b19e46ed5d774bc7417ae1b4f887f816b5e7bf8
                • Instruction Fuzzy Hash: 1401CCB1B01218ABCF14BBA4CC569FE7769EB81360B040A19F865972E2DE355808D651
                Function 00908CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                  • Part of subcall function 0090AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0090AABC
                • SendMessageW.USER32(?,00000180,00000000,?), ref: 00908D6B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ClassMessageNameSend_memmove
                • String ID: ComboBox$ListBox
                • API String ID: 372448540-1403004172
                • Opcode ID: 21dc2adfb9defc46d05f54533e2581db6c1807856b4b031cd0f573d884bef207
                • Instruction ID: 90df29883d0e23604a8bbc7113264d64d1e8e431f0d1abd1a2d220bfe2215c5a
                • Opcode Fuzzy Hash: 21dc2adfb9defc46d05f54533e2581db6c1807856b4b031cd0f573d884bef207
                • Instruction Fuzzy Hash: 6B01D471B41208AFCF14EBE4C956AFF77A8DF55340F140519B841A32E1DE145E08D6B2
                Function 00908D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008B7DE1: _memmove.LIBCMT ref: 008B7E22
                  • Part of subcall function 0090AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0090AABC
                • SendMessageW.USER32(?,00000182,?,00000000), ref: 00908DEE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ClassMessageNameSend_memmove
                • String ID: ComboBox$ListBox
                • API String ID: 372448540-1403004172
                • Opcode ID: ea4d9ae6484785df635befcf876eb022442c89752bed93b6c15c8f004851dbdc
                • Instruction ID: daf9bffe679b4ba73f9f4bc6b6c9778b671df3f79bdd61a4b16c636fb73c5d2a
                • Opcode Fuzzy Hash: ea4d9ae6484785df635befcf876eb022442c89752bed93b6c15c8f004851dbdc
                • Instruction Fuzzy Hash: 3801F271B41208ABCF10EBA8C982AFF77ADDF11340F140519B841A32D2DE254E08D2B2
                Function 00914F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: ClassName_wcscmp
                • String ID: #32770
                • API String ID: 2292705959-463685578
                • Opcode ID: 55c2680b47eec09d1f356930bbc59861e8a09acc619794be48e4b3708a4acede
                • Instruction ID: 8539fcac0bc92b245ff245097f3e08afd9ba75ec076d60c2f47c7429b227b0a4
                • Opcode Fuzzy Hash: 55c2680b47eec09d1f356930bbc59861e8a09acc619794be48e4b3708a4acede
                • Instruction Fuzzy Hash: 2CE0D833A0422C2BD7209B99AC49FA7F7ACEB85B70F000167FD04D7151E9609A45CBE1
                Function 008EB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 008EB314: _memset.LIBCMT ref: 008EB321
                  • Part of subcall function 008D0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008EB2F0,?,?,?,008B100A), ref: 008D0945
                • IsDebuggerPresent.KERNEL32(?,?,?,008B100A), ref: 008EB2F4
                • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008B100A), ref: 008EB303
                Strings
                • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008EB2FE
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                • API String ID: 3158253471-631824599
                • Opcode ID: 10d538ac41ede497134387e61cb24104e9cf7f2ff24d94b94340c3aae9cc005f
                • Instruction ID: 605c630f5e6382668a343ae7407aed09435a919756349377349ebdd87067dafc
                • Opcode Fuzzy Hash: 10d538ac41ede497134387e61cb24104e9cf7f2ff24d94b94340c3aae9cc005f
                • Instruction Fuzzy Hash: 92E039706147418AD720DF6AD5153477AE4FF01304F008A2DE896C6751E7B4D448CFA1
                Function 00907C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                Download Yara Rule
                APIs
                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00907C82
                  • Part of subcall function 008D3358: _doexit.LIBCMT ref: 008D3362
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Message_doexit
                • String ID: AutoIt$Error allocating memory.
                • API String ID: 1993061046-4017498283
                • Opcode ID: 21774a53c442e2bbdae85b88ab5b9552703cc669b84d330a7bb8dcab5215e2d8
                • Instruction ID: c730cf7dd4a2e486eecf578bfeba757f917a163149a932375710d04706bd7d23
                • Opcode Fuzzy Hash: 21774a53c442e2bbdae85b88ab5b9552703cc669b84d330a7bb8dcab5215e2d8
                • Instruction Fuzzy Hash: 98D012323C832837D11532A96D07FCA67889B05B5AF040416BB44996D349D1598151A6
                Function 008F1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                Download Yara Rule
                APIs
                • GetSystemDirectoryW.KERNEL32(?), ref: 008F1775
                  • Part of subcall function 0092BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,008F195E,?), ref: 0092BFFE
                  • Part of subcall function 0092BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0092C010
                • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 008F196D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: Library$AddressDirectoryFreeLoadProcSystem
                • String ID: WIN_XPe
                • API String ID: 582185067-3257408948
                • Opcode ID: 9c2a3663492ebf6cdf6dadc32fe76c52b3043483faf8bc59c5b189c22fb5454c
                • Instruction ID: 7479744cffddcf9dafe3a91a0b3d027a7f30415806a9656ff1f6b6312d31ec1e
                • Opcode Fuzzy Hash: 9c2a3663492ebf6cdf6dadc32fe76c52b3043483faf8bc59c5b189c22fb5454c
                • Instruction Fuzzy Hash: 73F0157181500DDFCB15EBA1CA98AECBBF8FB18304F200095E206E24A4C7704E84DF60
                Function 00935998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009359AE
                • PostMessageW.USER32(00000000), ref: 009359B5
                  • Part of subcall function 00915244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009152BC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: 0706c0c5dec1c474a34b7e259299b463f7164ef80edfb56f598d575d0d455d21
                • Instruction ID: 1475a580c823c61c22e558464e93468c9fea71a93a2e8cb0b1d343ba08e9b6c0
                • Opcode Fuzzy Hash: 0706c0c5dec1c474a34b7e259299b463f7164ef80edfb56f598d575d0d455d21
                • Instruction Fuzzy Hash: 3ED0C932794715BAE664AB709C1BFD76615AB94B54F010825B256EA1E0C9E0A800DA54
                Function 00935964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0093596E
                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00935981
                  • Part of subcall function 00915244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 009152BC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2099334006.00000000008B1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008B0000, based on PE: true
                • Associated: 00000000.00000002.2099289173.00000000008B0000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.000000000093F000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099385186.0000000000964000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099421935.000000000096E000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.2099438150.0000000000977000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8b0000_Drawing&spec.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: b9e2c0e1314ba0e3c431afbacde500f4b4a442eacc2b942ed2fea5eceb611b17
                • Instruction ID: affcd9648fb35608b9fda94dd80deaae2cf6d7f8db03dccb977b3e67c77a40fb
                • Opcode Fuzzy Hash: b9e2c0e1314ba0e3c431afbacde500f4b4a442eacc2b942ed2fea5eceb611b17
                • Instruction Fuzzy Hash: A4D0C932798715B6E664AB709C1BFE76A15AB90B54F010825B25AAA1E0C9E09800DA54